IETF Logo Mail Archive

Re: [Last-Call] [v6ops] Tsvart last call review of draft-ietf-v6ops-ipv6-ehs-packet-drops-05

Tom Herbert <tom@herbertland.com> Mon, 22 February 2021 14:57 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: last-call@ietfa.amsl.com
Delivered-To: last-call@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B8C733A0964 for <last-call@ietfa.amsl.com>; Mon, 22 Feb 2021 06:57:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j2OSBYkP7Pck for <last-call@ietfa.amsl.com>; Mon, 22 Feb 2021 06:57:43 -0800 (PST)
Received: from mail-ej1-x629.google.com (mail-ej1-x629.google.com [IPv6:2a00:1450:4864:20::629]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1538E3A0ABD for <last-call@ietf.org>; Mon, 22 Feb 2021 06:55:55 -0800 (PST)
Received: by mail-ej1-x629.google.com with SMTP id r17so3480982ejy.13 for <last-call@ietf.org>; Mon, 22 Feb 2021 06:55:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=SCf0d1WBBDDhdFcvOGvn0EcLkZt4m55Zbo2V9JtWVHo=; b=0YJRO+ttARX7oBMAPvne8PhMzYK7PTk6+yNc+1hBOc29BXocqB+Yw8pLUzjaryVE7y X8Foz3paAk5uQhsVsxBm9hNnwQh7aq+DX06ZThJMhHAOBEw/VLFHYUorcfL5osnO2STq JJsE2+n9m+IhXJ6A74dMrO64VE4/10Z1CGS7MhEXaVIpaT0pBw5UT/yRWRUvBNDY+kXc LdavQz5bGbLDE7q/uva9VB9XR2n2xtlGq5mxlA1f9/q9g8va1/uCFGdtYsu7sh72FrXo cxT+vQwdyKg08t50pHEAEqKpYIK2GQImT5Da/GxgSu73a2uXATNe6B6RwQ6J9BI7/m+F dAtA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=SCf0d1WBBDDhdFcvOGvn0EcLkZt4m55Zbo2V9JtWVHo=; b=iBhgcE7FZkYYvjJNFWLJf9+KfjQPYbBjszHqBr+sDGOBA2IOMXn1w7jcXc7bEOWx9H AjJrKPVupM1iIcYYjMg6uCFBb4ESoYSbNwFraGw/bXGyO4p/iwAU3m94thDdOtUdjyp9 w6eGS8a09YRTFbp/AIqPwJBzlhcklbEqNHD7rkE3c6LtPb2s/rVJ86+9iszZeWKGBkfK Pc2ju+uOczpk884wHDcUKgZR+J4Zs4SE8UMLF5sYybPKUmJERYP4/g9XPAbEYciPyazX 1iYreM4woDavIzrGPqYQfYnZU58m26I50gk+Ik5V+OyjEHDOtG8Hnb0y9cH6bdaNUU1u YBjQ==
X-Gm-Message-State: AOAM531TowmHYEmaG0oSgUUmCvtCQqtZsYFVNxiErw46da9ZEUVrOV7K cLbnOqwEPxvhw3sObeL2lWPav9K1yz7cpIOebplBCg==
X-Google-Smtp-Source: ABdhPJyDL111H69xJLFG21DqU8bs4gsZ3nShefxPXxBKRgyHKK/QXXkfPbzphxZO0wsOORR8UA76qp3K+xXNQaRPv5E=
X-Received: by 2002:a17:906:4442:: with SMTP id i2mr21693972ejp.41.1614005753403; Mon, 22 Feb 2021 06:55:53 -0800 (PST)
MIME-Version: 1.0
References: <161366727749.10107.14514005068158901089@ietfa.amsl.com> <42668fb5-a355-e656-7d99-c40b3d33fb92@si6networks.com> <0e377231-c319-2157-30a0-759e2f96a692@gmail.com> <5f464f17-85ed-f105-35f9-02f35d04aed2@si6networks.com> <CALx6S364zGbq_HZNNVEaJHnHccuk4Zau2DXhmaVYbwnYQc-5bw@mail.gmail.com> <1847e8e3-543f-5deb-dd14-f7c7fa3677db@si6networks.com> <CALx6S34TPppMRJrOvyJ05LLeRvv+S51pQHJnzZDKk-qOdsF0AA@mail.gmail.com> <e41f3484-f816-e185-2d99-94323c8da732@si6networks.com>
In-Reply-To: <e41f3484-f816-e185-2d99-94323c8da732@si6networks.com>
From: Tom Herbert <tom@herbertland.com>
Date: Mon, 22 Feb 2021 07:55:42 -0700
Message-ID: <CALx6S34qSxGijVcs229bAL5gMhMvMNYUXm3yEmrg6wxUiUAiaA@mail.gmail.com>
To: Fernando Gont <fgont@si6networks.com>
Cc: Brian E Carpenter <brian.e.carpenter@gmail.com>, Gorry Fairhurst <gorry@erg.abdn.ac.uk>, tsv-art@ietf.org, last-call@ietf.org, draft-ietf-v6ops-ipv6-ehs-packet-drops.all@ietf.org, IPv6 Operations <v6ops@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/last-call/JzRXLNgPmGsbmOKg7cfgkI63JmQ>
Subject: Re: [Last-Call] [v6ops] Tsvart last call review of draft-ietf-v6ops-ipv6-ehs-packet-drops-05
X-BeenThere: last-call@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Last Calls <last-call.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/last-call>, <mailto:last-call-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/last-call/>
List-Post: <mailto:last-call@ietf.org>
List-Help: <mailto:last-call-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/last-call>, <mailto:last-call-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Feb 2021 14:57:45 -0000

On Sun, Feb 21, 2021 at 2:39 AM Fernando Gont <fgont@si6networks.com> wrote:
>
> Hello, Tom,
>
> On 20/2/21 12:32, Tom Herbert wrote:
> [...]
> > On the other hand, there are use cases where it does work and is in
> > deployment; in fact, there are use cases where it's the *only* way to
> > do in flow classification on packets. The implicit requirement of this
> > draft here is that packets have port numbers in plain text, however
> > that is not possible in no-first fragments, tunnel mode IPsec,
> > tunnling protocols the routers don't understand, etc.
>
> What we describe in our document is how this applies to the general
> case, and what the operational reality indicates.
>
> For virtually anything, you can always find a scenario where things work.
>
>
>
> > With regards to extension headers, the presumed problem isn't that the
> > port numbers are present, it's that some, not all, routers have
> > limited capabilities to parse over EHs to find the transport headers.
>
> That's a fact, rather than a presumption.
>
>
>
> > This is reflected in the statement: "If an IPv6 header chain is
> > sufficiently long that it exceeds the packet look-up capacity of the
> > router, the router might be unable to determine how the packet should
> > be handled, and thus could resort to dropping the packet." It's not to
> > me clear what "sufficiently long" means; in particular, such a
> > statement isn't helpful to the host stack developer trying to figure
> > out if the packets they're creating will be properly forwarded.
>
> "Long enough" for the router handling the packet. There are different
> vendors, and different models. S the specific value will vary across
> router vendors and models. In our document, we reference two sample
> values -- but they are certainly not the only ones.
>
Fernando,

Yes, different routers do different things, but can you quantify what
the most commonly deployed routers do? If we can do that then we could
establish a better requirement for host stacks more than just "don't
send IPv6 header chains that are too long". For instance, from the
draft: "some contemporary high-end routers are known to inspect up to
192 bytes, while others are known to parse up to 384 bytes of
header.". That's good information since it at least starts to quantify
the router implementation constraints that are mostly the subject of
this draft (this data really needs a reference by the way). If we
establish what the most common limit is, say the 192 bytes that are
mentioned, then we could establish a requirement on routers that sets
a reasonable expectation for hosts stack as to what will be forwarded
with high probability. Something like "Routers SHOULD parse at least
192 bytes of headers". The host stack in turn, can try to limit what
it sends (e.g. a 192 bytes should be a reasonable budget for most EHs,
larger ones like SR and IOAM tend to be targeted to limited domains in
which case that operator can enforce higher limits in network
devices).

Note that such a limit is a SHOULD; it's obvious that we'll probably
never achieve 100% support on the Internet. But 100% isn't the goal.
IMO, the goal is to address the problems described in this draft,
specifically the operational constraints on routers that lead to
packet drop, in order to reduce drops for packets that contain EH. The
two cited constraints in this draft are TLV processing and parsing
buffer limitations. The problems associated with constraints on TLV
processing constraints are mitigated by RFC8200 relaxing the
requirement that all intermediate nodes must process HBH, and is also
mitigated by allowing limits on the number of TLVs a node processes
(RFC8504 sets a default limit to 8). The problem associated with
parsing buffer constraints could similarly be mitigated by a suggested
limit on the length of the header buffer chain as described above.

Tom

>
> > For
> > the purpose of providing use guidance to the host stack developers,
> > can you please clarify exactly what "sufficiently long" is?  For
> > instance, is it reasonable to expect that modern routers should be
> > able forward packets that contain sixty-four bytes of Destination
> > Options, or Routing Header, or HBH Options?
>
> That's out of the scope of this document. That said, RFC7872 might help
> to answer such question.
>
>
>
> > Note that RFC8504 and
> > RFC8883 do discuss processing limits being exceeded in terms of the
> > protocol considerations (in fact, RFC8504 recommends a specific
> > default limits on the maximum number of HBH and DestOpt options a host
> > will process in order to mitigate the "DoS due to processing
> > requirements" issue raised in 7.4 of this draft).
>
> The possibility of DoS is simply described as one of the possible
> implications of EHs. As noted in the document, while there might be
> filtering policies employed to mitigate DoS attacks, in many cases
> routers resort to dropping packets containing EHs because they prevent
> the router from accessing layer-4 information the router may need to
> process to decide what to do with the packet.
>
> Thanks,
> --
> Fernando Gont
> SI6 Networks
> e-mail: fgont@si6networks.com
> PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
>
>
>
>

v2.23.0 | Report a Bug | By Email