IETF Logo Mail Archive

Re: [Tsv-art] ECMP [Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06]

Ole Troan <otroan@employees.org> Thu, 06 December 2018 14:00 UTC

Return-Path: <otroan@employees.org>
X-Original-To: tsv-art@ietfa.amsl.com
Delivered-To: tsv-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C07A6126C01; Thu, 6 Dec 2018 06:00:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 99Aa_1JIaSVs; Thu, 6 Dec 2018 06:00:34 -0800 (PST)
Received: from bugle.employees.org (accordion.employees.org [198.137.202.74]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C7F23124D68; Thu, 6 Dec 2018 06:00:34 -0800 (PST)
Received: from astfgl.hanazo.no (30.51-175-112.customer.lyse.net [51.175.112.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bugle.employees.org (Postfix) with ESMTPSA id 04866FECC075; Thu, 6 Dec 2018 14:00:34 +0000 (UTC)
Received: from [IPv6:::1] (localhost [IPv6:::1]) by astfgl.hanazo.no (Postfix) with ESMTP id E66A3AB7454; Thu, 6 Dec 2018 15:00:28 +0100 (CET)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.1 \(3445.101.1\))
From: Ole Troan <otroan@employees.org>
In-Reply-To: <bd3d77b4-3d8d-18a1-72bd-ef15b04d72fb@gmail.com>
Date: Thu, 06 Dec 2018 15:00:28 +0100
Cc: Brian E Carpenter <brian.e.carpenter@gmail.com>, Gert Doering <gert@space.net>, tsv-art <tsv-art@ietf.org>, OPSEC <opsec@ietf.org>, IETF-Discussion Discussion <ietf@ietf.org>, draft-ietf-opsec-ipv6-eh-filtering.all@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <BFEAA02E-EF58-4695-BB7C-CA29B4EE7377@employees.org>
References: <CAL9jLaYHVdHr+rVoWeNtXTXgLxbTaX8V9gn3424tvsLW60Kvow@mail.gmail.com> <5E70C208-0B31-4333-BB8C-4D45E678E878@isc.org> <CAN-Dau0go6_Puf0A9e7KBpk0ApJBUvcxYtezxnwNc-8pKJ3PwQ@mail.gmail.com> <4D69FA8E-FB8A-4A16-9CA6-690D8AE33C9E@strayalpha.com> <20181205122142.GJ1543@Space.Net> <F17C4944-09EC-4AAC-84A0-B660E36AAE89@strayalpha.com> <20181205133821.GL1543@Space.Net> <B6280E0C-6B20-43C1-BB34-170FB06F1EF7@strayalpha.com> <20181205135723.GN1543@Space.Net> <54C715AE-8931-4FA9-AA01-2311EB0055F0@employees.org> <20181205164558.GQ1543@Space.Net> <CCFEFC5B-53AE-4079-B64A-A72A71274FAD@employees.org> <cda0e10e-a56d-4598-dcd4-eabeeac52fb0@gmail.com> <a1b478a7-4396-3d9e-0282-c8c66250526c@gmail.com> <99f0a622-b1f8-cc8a-dcba-a608c37eeb0c@gmail.com> <B6EF08AB-AAB1-42EF-B876-629B3DEC13DD@employees.org> <bd3d77b4-3d8d-18a1-72bd-ef15b04d72fb@gmail.com>
To: Stewart Bryant <stewart.bryant@gmail.com>
X-Mailer: Apple Mail (2.3445.101.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsv-art/EGmK9B3Pb7yT6fTQvaXPHcOPJCc>
Subject: Re: [Tsv-art] ECMP [Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06]
X-BeenThere: tsv-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Review Team <tsv-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsv-art/>
List-Post: <mailto:tsv-art@ietf.org>
List-Help: <mailto:tsv-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Dec 2018 14:00:37 -0000

Stewart,

>> So you are arguing that we need to define ULPs that are easy for routers to parse?
> I don't see how you would conclude that from the above. What is needed is that whatever the parser needs to parse needs to be easy and cheap to parse.

“what’s needed” is clearly something which is very contentious. There is a reason why encryption by default is a necessity.

>> At arbitrary depth? Because why would the buck stop at the UDP header when transport has moved one layer up?
> What is the status of the flow label in practice? As I said earlier in the thread, I know the five tuple is trusted for ECMP, but I hear very little discussion of the flow label being a trusted source of entropy to feed the ECMP selector.

I don’t know. I hear the situation is improving. Would be great if someone with access to a large packet trace could tell us.
That said, you will not always find the ports. fragmented packets, Non TCP/UDP protocols (GRE, IPinIP etc). You need to tackle that case too.
At least with the flow label you would be able to ECMP correctly for a session containing both fragmented and not fragmented packets.

>> As opposed to the 6man argument which is that IPv6 is explicitly designed to only require routers to need to process the first 40 bytes (with the one exception hook).
>> And the design of EHs is specifically done to make it hard to parse for intermediate devices…
> That seems a fundamentally bad idea. Why would you go out of your way to make something difficult when you never know what path future protocol development will take you?

It was a value desicion. Any time the network starts to dwelve deeply into packets that prohibits innovation and end to end transparency.
Of course it wasn’t a perfect solution. Encryption is the only thing that can “solve” it properly.

>> Is that really the Internet we want? Of course it will be countered with encryption, but I foresee a raft of problems if the IETF as a whole would redefine the “formal Internet architecture”.
> I think I have been describing the Internet architecture as it exists today regardless of the what the RFCs say.

Sure. But I think the IETF’s signal effect is quite important.

And we are doing quite a bit to rectify the current state. If everything is encrypted. Sure, you might have a UDP header to do ECMP on, but you would need other indicators to detect attack traffic.

Cheers,
Ole

v2.23.0 | Report a Bug | By Email