Re: [Network-tokens] Network Tokens and HBH option

Toerless Eckert <tte@cs.fau.de> Mon, 13 July 2020 15:34 UTC

Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: network-tokens@ietfa.amsl.com
Delivered-To: network-tokens@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35D393A1337; Mon, 13 Jul 2020 08:34:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.118
X-Spam-Level:
X-Spam-Status: No, score=-1.118 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q7xZw7qaJctq; Mon, 13 Jul 2020 08:34:28 -0700 (PDT)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:40]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9DD763A1238; Mon, 13 Jul 2020 08:34:28 -0700 (PDT)
Received: from faui48f.informatik.uni-erlangen.de (faui48f.informatik.uni-erlangen.de [131.188.34.52]) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTP id 013D0548068; Mon, 13 Jul 2020 17:34:23 +0200 (CEST)
Received: by faui48f.informatik.uni-erlangen.de (Postfix, from userid 10463) id EE4DA440043; Mon, 13 Jul 2020 17:34:22 +0200 (CEST)
Date: Mon, 13 Jul 2020 17:34:22 +0200
From: Toerless Eckert <tte@cs.fau.de>
To: Lorenzo Colitti <lorenzo=40google.com@dmarc.ietf.org>
Cc: Tom Herbert <tom@herbertland.com>, 6MAN <6man@ietf.org>, network-tokens@ietf.org
Message-ID: <20200713153422.GZ42197@faui48f.informatik.uni-erlangen.de>
References: <CALx6S35sXX6J75dzQH=hN7pC5=9wZP=o6SqOMpivGPtOdo+YNQ@mail.gmail.com> <CAKD1Yr2iUA9SWJoNsDNFdNYDksKcw8YE2oSB1eJBfy9hiJXb4g@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAKD1Yr2iUA9SWJoNsDNFdNYDksKcw8YE2oSB1eJBfy9hiJXb4g@mail.gmail.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/network-tokens/tZ2_G98LMas3grnUJGcgxhlMcsI>
Subject: Re: [Network-tokens] Network Tokens and HBH option
X-BeenThere: network-tokens@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion list for network tokens <network-tokens.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/network-tokens>, <mailto:network-tokens-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/network-tokens/>
List-Post: <mailto:network-tokens@ietf.org>
List-Help: <mailto:network-tokens-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/network-tokens>, <mailto:network-tokens-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jul 2020 15:34:31 -0000

Lorenzo,

Some of your reasons are exactly why i think it would be great if
we had a forum to think about how to overcome these issues without
being constrained by RFC8200, even if for reearch purposes. Aka: COuld
we build headers that do not have these issues, and if so, how.

We have started to look at some of the problems we see in the current network
headers in draft-bryant-arch-fwd-layer-ps. We have refrained in that spec
to do ore than problem analysis. Would love to see feedback about that doc.

more inline:

On Mon, Jul 13, 2020 at 05:14:06PM +0900, Lorenzo Colitti wrote:
> Is a hop-by-hop option the right tool here? They have several disadvantages:
> 
>    1. The presence of IPv6 extension headers often causes packets to be
>    dropped, so anything that relies on them is impossible to deploy reliably
>    on the Internet.

Indeed. But i am deeply convinced that a good amount of this problem is
because of bad specs and bad implementations. I make this argument for
e.g: router-alert, where i think we could easily redo it with a new
extension header with better spec, leading to better implementations.
Just as an example.

Besides rfc820 limits, bad specs, bad implementations, there is the fourth
horseman of the pocalypse, which are on-path filters that filter things
they shouldn't filter purely because there is money to be made in
selling the vision of:

   I have a product that can apply policies on anything it can understand,
   and a great policy is to deny anything that you do not explicitly
   know and permit.

There are solutions for this like DPI based tokens (Malice draft) or
encryption (i think Tom has/had this), but i think it would be good to put
this into a separate bucket. Aka: this is only needed for internet paths, but
IMHO not for controlled network paths. To most this seems like we would
already need this level of complexity because Internet paths are most
important, but i disagree: I think most networks are controlled, including
all traffic that looks like Internet as long as it stays within the
access provider of either subscriber of a connection.

>    2. They don't work with forwarded traffic (e.g., a mobile hotspot)
>    because routers aren't really permitted to add extension headers.

Its expensive to work with rfc8200, e.g.: you need to add another
encap header and figue ouut where its to be removed. Hence the desire
to at least research better network headers as well to compare.

>    3. They are expensive because IIRC for a long time the standards said
>    that all intermediate nodes on the path must process them. Many router
>    implementations do not do this, but probably some do.

The main issue is the cost in ignoring headers you don't bother about because
because you either don't implement tem, or they are not enabled/configured.

Cheers
    Toerless

> On Sat, Jul 11, 2020 at 12:54 AM Tom Herbert <tom@herbertland.com> wrote:
> 
> > Hello,
> >
> > This is a draft on "Network Tokens" which is a form of host-to-network
> > signaling for the purposes of providing a highly granular network
> > services and QoS to applications. A primary mechanism to carry the
> > signaling is expected to be a Hop-by-Hop option.
> >
> > https://tools.ietf.org/html/draft-yiakoumis-network-tokens-01
> >
> > There is also a mailing list in
> > https://www.ietf.org/mailman/listinfo/network-tokens
> >
> > We are planning to present in tsvwg and app aware networking and
> > possibly have a side meeting on this topic in IETF108.
> >
> > Thanks,
> > Tom
> >
> > --------------------------------------------------------------------
> > IETF IPv6 working group mailing list
> > ipv6@ietf.org
> > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> > --------------------------------------------------------------------
> >

> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------


-- 
---
tte@cs.fau.de