IETF Logo Mail Archive

[Spud] Putting Network-Layer Information in the Network Layer

Brian Trammell <ietf@trammell.ch> Fri, 10 July 2015 10:44 UTC

Return-Path: <ietf@trammell.ch>
X-Original-To: spud@ietfa.amsl.com
Delivered-To: spud@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 576491A8FD6 for <spud@ietfa.amsl.com>; Fri, 10 Jul 2015 03:44:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.912
X-Spam-Level:
X-Spam-Status: No, score=-1.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qJRGXAPFj5JP for <spud@ietfa.amsl.com>; Fri, 10 Jul 2015 03:44:41 -0700 (PDT)
Received: from trammell.ch (trammell.ch [5.148.172.66]) by ietfa.amsl.com (Postfix) with ESMTP id DEB6D1A8FD5 for <spud@ietf.org>; Fri, 10 Jul 2015 03:44:40 -0700 (PDT)
Received: from [10.0.27.104] (dynamic-94-247-222-033.catv.glattnet.ch [94.247.222.33]) by trammell.ch (Postfix) with ESMTPSA id 8BDC01A0365; Fri, 10 Jul 2015 12:44:39 +0200 (CEST)
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
Content-Type: multipart/signed; boundary="Apple-Mail=_38C878DC-E987-4D24-BAFF-0629170389C4"; protocol="application/pgp-signature"; micalg=pgp-sha512
X-Pgp-Agent: GPGMail 2.5
From: Brian Trammell <ietf@trammell.ch>
In-Reply-To: <559EB134.2090905@isi.edu>
Date: Fri, 10 Jul 2015 12:44:38 +0200
Message-Id: <CB3FEFD0-1FE0-49D4-A650-349218ABD00A@trammell.ch>
References: <20150703151910.417.20312.idtracker@ietfa.amsl.com> <176C39DB-16F3-4E46-9A1D-22290A38FBA6@tik.ee.ethz.ch> <CALx6S37Eo6eAE4GTkAWGe+w0ZhDHyuMym7+txgjai5GRw+pgiQ@mail.gmail.com> <7158BF85-8731-40A0-9920-36D21D73D7F2@trammell.ch> <CALx6S37w1J=v48gFCH18E-3UZyfC28_d_LTuKjC5VHtXC0eu2Q@mail.gmail.com> <5A64B99E-89C5-4D5C-BFF2-C5F0C25EC35D@trammell.ch> <559D8301.2020604@isi.edu> <006C9182-7352-4086-AF18-785AEFD44979@trammell.ch> <559EB134.2090905@isi.edu>
To: Joe Touch <touch@isi.edu>
X-Mailer: Apple Mail (2.2098)
Archived-At: <http://mailarchive.ietf.org/arch/msg/spud/o1bRmn-0oDi_QelZ6kkr6HFBlCs>
Cc: Tom Herbert <tom@herbertland.com>, =?utf-8?Q?Mirja_K=C3=BChlewind?= <mirja.kuehlewind@tik.ee.ethz.ch>, spud@ietf.org
Subject: [Spud] Putting Network-Layer Information in the Network Layer
X-BeenThere: spud@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Session Protocol Underneath Datagrams <spud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spud>, <mailto:spud-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spud/>
List-Post: <mailto:spud@ietf.org>
List-Help: <mailto:spud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spud>, <mailto:spud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jul 2015 10:44:43 -0000

> On 09 Jul 2015, at 19:36, Joe Touch <touch@isi.edu> wrote:
> 
> 
> 
> On 7/8/2015 10:23 PM, Brian Trammell wrote:
>> hi Joe, all,
> ...
>>> One challenge is that IPv6 options are processed differently than IPv4 -
>>> there's no way to "jump" straight into the transport header to find
>>> ports (for port-based load balancing, e.g.).
>> 
>> Yep. If the option chain had a small and
>> easily-hardware-determinable
>> set of possible lengths -- which is the case for v4 options -- this
>> would be easier (but still harder to handle on the fast path than the
>> arrangements we're proposing here).
> 
> IPv4 options can be jumped over in one step using the IHL field.

yes, |set| = 1.

> There's
> no such field for IPv6 - routers have to walk the chain of headers one
> by one.

Right. It seems to me the way out of this (which is not just a problem for boxes that want to muck about in transport protocols, but ones that want to properly process hop by hop options) would be to define a new (small) set of IPv6 options headers that themselves would (1) not be combinable and (2) have a fixed length, allowing the next-header field to be _treated_ in constant time / with relatively few gates as the IHL field.

I haven't followed 6man, though I presume this approach or approaches like it have been discussed there ad nauseam.

The fixed-lengthness of these new v6 options headers would make them problematic for freely extensible options, though one could use these to stick common fast path options in the "fixed" point of the header, and otherwise point to space elsewhere in the packet for things that can happen slowly. You eat the cost of following pointers and doing the more expensive deframing only if you need to in this case.


>>> I suspect you'll find that IP options are basically a non-starter except
>>> for research purposes.
>> 
>> For the story on the v4 side, do you know of anything newer than
>> Fonseca et al "IP Options are Not and Option" (tech report version at
>> http://www.eecs.berkeley.edu/Pubs/TechRpts/2005/EECS-2005-24.pdf)? It's
>> ten years old -- but given where the engineering effort has gone during
>> that decade, I doubt strongly much has changed here.
> 
> Not much. Those old studies have been used in other WGs to drive
> documents (IMO, unfortunately).

I've been thinking about whether it would be worth the effort to do an updated IP options transparency study.

We revisited the safety of ECN in part because there were plausible processes for the situation to have changed -- the biggest problems that caused the Internet to be ECN-unsafe involved what were basically single-packet exploits against routers, and needed to be fixed for reasons *other* than making the feature work. (ECN *support* is another question, the answer to which is less cheerful.)

I can't think of a comparable process making new/experimental options support less linked to connectivity risk in edge networks -- if nobody uses them (because they don't work) then if you try to use them and they don't work, it's your fault. That would unfortunately seem to be a rather stable state.

Coming back to the layering question:

It does seem to me that what we're (the we that wrote the two documents starting this thread) trying to do is explicitly reinforce the boundary between the network layer and the transport layer, where this is defined as "things the path needs to see versus things only endpoints need to see". Asking nicely (i.e., publishing RFCs) did not work in this case: the transport ports are de facto part of the network layer now, and short of blowing the Internet up and starting over I can't see a way to get them back. So now we are left with enforcing the boundary cryptographically, leaving some space in the "new network layer" (in this case, IP + UDP (for ports) + SPUD) for those things now commonly done within the network.

If we can do this in the _current_ network layer (IPv6 (with options) with some alternate way to handle NAT + DTLS, or we find a portal to an alternate universe where end-to-end IPsec is widely deployable and manageable), then great, let's do that. I'm pessimistic enough to believe that that hasn't been a realistic prospect at any time during this century, though.

Cheers,

Brian

> Joe
> 
> _______________________________________________
> Spud mailing list
> Spud@ietf.org
> https://www.ietf.org/mailman/listinfo/spud

v2.8.7 | Report a Bug | By Email