IETF Logo Mail Archive

Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-filtering-06.txt> (Recommendations on the Filtering of IPv6 Packets Containing IPv6 Extension Headers) to Informational RFC

Nick Hilliard <nick@foobar.org> Sat, 24 November 2018 20:44 UTC

Return-Path: <nick@foobar.org>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7956E12E7C1; Sat, 24 Nov 2018 12:44:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LQ7HU-wyVSQC; Sat, 24 Nov 2018 12:44:10 -0800 (PST)
Received: from mail.netability.ie (mail.netability.ie [IPv6:2a03:8900:0:100::5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 305CA12426E; Sat, 24 Nov 2018 12:44:09 -0800 (PST)
X-Envelope-To: ietf@ietf.org
Received: from crumpet.local (089-101-070074.ntlworld.ie [89.101.70.74] (may be forged)) (authenticated bits=0) by mail.netability.ie (8.15.2/8.15.2) with ESMTPSA id wAOKi777095380 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 24 Nov 2018 20:44:07 GMT (envelope-from nick@foobar.org)
X-Authentication-Warning: cheesecake.ibn.ie: Host 089-101-070074.ntlworld.ie [89.101.70.74] (may be forged) claimed to be crumpet.local
To: "C. M. Heard" <heard@pobox.com>
Cc: IETF <ietf@ietf.org>, OPSEC <opsec@ietf.org>
References: <CACL_3VExxwN6z-WHbp3dcdLNV1JMVf=sgMVzh-k0shNJFeADbQ@mail.gmail.com> <BLUPR0501MB2051A8FFB1DAFDCA9873B9E6AE700@BLUPR0501MB2051.namprd05.prod.outlook.com> <CACL_3VFSHqU-D+NJu=k2-p4tbjZukT7i7WEoX+5kdUtdHB4Rjw@mail.gmail.com> <CACL_3VGk0CsHObEgSwLdCp8agOWrjccB94-aynEz3Bv0w+EU+w@mail.gmail.com> <475fe28a-aafe-d3b0-e665-fe97dd1439b8@foobar.org> <CACL_3VGHWW8fCDo8Q9br2fwXn5zBi+kN_5a1sOTX7m7QaU8iyg@mail.gmail.com>
From: Nick Hilliard <nick@foobar.org>
Message-ID: <84ee1f5f-f88e-8288-58fa-b820624b57e7@foobar.org>
Date: Sat, 24 Nov 2018 20:44:06 +0000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:52.0) Gecko/20100101 PostboxApp/6.1.5
MIME-Version: 1.0
In-Reply-To: <CACL_3VGHWW8fCDo8Q9br2fwXn5zBi+kN_5a1sOTX7m7QaU8iyg@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-GB
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/2GWqpieLrbDOf3FMpLtsEg9h52c>
Subject: Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-filtering-06.txt> (Recommendations on the Filtering of IPv6 Packets Containing IPv6 Extension Headers) to Informational RFC
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Nov 2018 20:44:13 -0000

C. M. Heard wrote on 24/11/2018 16:14:
> On Sat, Nov 24, 2018 at 7:37 AM Nick Hilliard <nick@foobar.org> wrote:
>> C. M. Heard wrote on 23/11/2018 16:20:
>> transit operators would generally take the view that any data-plane
>> packet which needs to be put through a slow path will be rate limited up
>> to 100% loss.  We can argue endlessly at the IETF about the pros and
>> cons of this from a protocol development and management point of view
>> but at the end of the day, transit operators have networks to run, and
>> there is a jarring disparity between data-plane forwarding speed and
>> control-plane processing capacity.  If you expect one to bleed into the
>> other, something needs to give.  This is often going to be
>> silicon-specific; what is slow-pathed on one platform may not be
>> slow-pathed on another, so generalised statements are difficult in this
>> situation.
> 
> It's not clear to me what that has to do with the specific comments
> that I made (and that you elided).  I would understand if I had brought
> up handling of, say, HbH options rather than default drop policies for
> unknown (and experimental) header types.  Perhaps you could clarify.

hm yes, it was a bit obtuse.  What I was trying to get at (and 
completely failed to achieve) was:

1. that EHs are largely unusable anyway, so if this draft makes some 
types slightly more unusable, that isn't going to make much of a 
practical difference.  RFC7872 suggests failure rates of ~30% - 50% for 
fragment headers.  Once you're in this territory, nothing you can do 
will make things any worse.

2. transit operators don't like filtering stuff.  They will filter 
traffic if and only if that traffic is a nuisance or forms a threat to 
the operation of their networks, and:

> My primary objection is to the advice that says discard unknown
> EHs and upper-layer protocols by default.  That advice needs to
> be more nuanced -- as is the advice for unknown option types
> given in Sec. 4.4.5,   I see no reason why these cases should
> get different advice.

...3. Any recommendation that the IETF makes in this area may, or may 
not, be taken as input into a decision machine, the result of which will 
be to filter, or rate limit, or to forward.  From this perspective, the 
documentation needs to observe and make suggestions.

Nick

v2.23.0 | Report a Bug | By Email