IETF Logo Mail Archive

Re: [Tsv-art] Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06

Brian E Carpenter <brian.e.carpenter@gmail.com> Wed, 05 December 2018 00:56 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: tsv-art@ietfa.amsl.com
Delivered-To: tsv-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 965BF1200B3; Tue, 4 Dec 2018 16:56:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OTwrDmMgEXMo; Tue, 4 Dec 2018 16:56:26 -0800 (PST)
Received: from mail-pl1-x631.google.com (mail-pl1-x631.google.com [IPv6:2607:f8b0:4864:20::631]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 77E9F130DC2; Tue, 4 Dec 2018 16:56:26 -0800 (PST)
Received: by mail-pl1-x631.google.com with SMTP id k8so9151643pls.11; Tue, 04 Dec 2018 16:56:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=lBpXsBRX6nEHVMWdlLh+dY34d61Q/C0CDY7qNBcXS4E=; b=T2X+GSqIHRt9zkUF0856z23zBUL76w/dLe51hqASdQndLGK6wDwg5ZXObaVn9EAnur atO2Dl6rqE+AKTWv4fHNqe5IbetISC2hMWKdjI8Y30oy2FY6p5sGov6PrDJ02tCIKgrB RMFh51dQ0oHAwA2YVFm/xdyewuAduFewgGQ0PEQq7ZSAsJOUPKT1zMgPoRGIwcxqKo8I AbQlo2YDx0LyNKvdFB9uCmSlSu2/ckluFOHkCU/8hVJu2gU8NoOkNlKTr+Nl4zXJhZbE RG1AjVIe8ip90DH3pJN9wiqLUcojC+DFE/x0/AEG/N35e5s2EFtcVvEQD94KWc/eD6PF GQIw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=lBpXsBRX6nEHVMWdlLh+dY34d61Q/C0CDY7qNBcXS4E=; b=X8BwaSRcIS328lsICD1rpCFTUDwOBQhiaVn7bvLi6oykzG9JGNfMBPk7d2Au9SUYmL y9RLPxil74vQJozvV83KIzH7FyKNyDwqdcuvtb/EMteDjMTDCDf+yMImY5lIERUWEDuu H7z1f4JZ7fry832noA5LFr06ddHxo5tm1DZjRIkGkx+VofR5R4Um9tLm1jLGHvxTUX8t mzRAQ6jmXidBxJQanKlPyLNnRS+pcVV1Xeo+kwoiPYRIQFeaigeUgvhtpZ+Yx//GkUYY srl1fVh28YiNVmCu8jIhwYEMNatpdS3tNw7Cw9llULqAmWHoNA+9VQ987SBRJsC+qY+l Th5g==
X-Gm-Message-State: AA+aEWYBgnqSYm1B8Ek06K6OILP+MYYS2QNpeb2Nb007nk30NJOXECWf egZXSPmcAs6CdjLGpQlqPxCbQfjB
X-Google-Smtp-Source: AFSGD/WQ/H/d+eBAAHFAnwpzsuIBkLSczx8n59PmkQgzTUgrmH+BDRHLS1SPv7bz0XfFfPe01VbuhA==
X-Received: by 2002:a17:902:2aaa:: with SMTP id j39mr22743381plb.335.1543971385702; Tue, 04 Dec 2018 16:56:25 -0800 (PST)
Received: from [192.168.178.30] ([118.148.76.40]) by smtp.gmail.com with ESMTPSA id n70sm25742545pfi.185.2018.12.04.16.56.21 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 04 Dec 2018 16:56:24 -0800 (PST)
To: Christopher Morrow <morrowc.lists@gmail.com>, heard@pobox.com
Cc: ietf <ietf@ietf.org>, draft-ietf-opsec-ipv6-eh-filtering.all@ietf.org, opsec wg mailing list <opsec@ietf.org>, tsv-art@ietf.org
References: <CACL_3VGeJPzDhS0RVAvpQs9W8b4EODft-qJRwBD6Xxm+X6BZ6A@mail.gmail.com> <CAL9jLabK0bZz2nki=oFNHT0OrpVAB8pw7emAj2BtkHRCzkfmqQ@mail.gmail.com>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Message-ID: <cf64abbf-e447-71e3-b983-4e525cc139aa@gmail.com>
Date: Wed, 05 Dec 2018 13:56:19 +1300
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.3.2
MIME-Version: 1.0
In-Reply-To: <CAL9jLabK0bZz2nki=oFNHT0OrpVAB8pw7emAj2BtkHRCzkfmqQ@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsv-art/FXILiEcYr3utlGO2j3Yudr7xEKI>
Subject: Re: [Tsv-art] Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06
X-BeenThere: tsv-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Review Team <tsv-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsv-art/>
List-Post: <mailto:tsv-art@ietf.org>
List-Help: <mailto:tsv-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Dec 2018 00:56:30 -0000

On 2018-12-05 12:23, Christopher Morrow wrote:
> On Tue, Dec 4, 2018 at 5:56 PM C. M. Heard <heard@pobox.com> wrote:
> 
>> On Tue, 4 Dec 2018 15:17:33 -0500 Christopher Morrow wrote:
>>> A solution might be to have a mode where  a router may just ignore all
>>> headers except the src/dst-ip and simply forward all packets, trusting
>>> that the conversing adults will sort out problems with unknown/new/
>>> experimental headers or with a tortured ordering of headers (for
>>> instance).
>>
>> Glad to hear you say that, because that's exactly what RFC 7045
>> envisions as the default forwarding behavior:
>>
>>
> I'm glad I'm not too nuts :)
> 
> 
>>    Any forwarding node along an IPv6 packet's path, which forwards the
>>    packet for any reason, SHOULD do so regardless of any extension
>>    headers that are present [...]
>>
>>
> this does mean that: "please filter the flarbly protocol traffic, eh-1234"
> is going to be very hard to do in the network.

Yes. But extension headers were explicitly defined to be from end system
to end system, not for middleboxes. So that difficulty was designed in.

>> Recognizing that processing of Hop-by-Hop Options in the fast path is
>> costly, RFC 8200 formally dropped the requirement for every router to
>> process them by default:
>>
>>    NOTE: While [RFC2460] required that all nodes must examine and
>>    process the Hop-by-Hop Options header, it is now expected that nodes
>>    along a packet's delivery path only examine and process the
>>    Hop-by-Hop Options header if explicitly configured to do so.
>>
>>
> it's important to note that some platforms can't look beyond a certain
> number of headers, and that ordering of the headers us up to the src, which
> when they are being mean is ... bad :( Even platforms that can look more
> than a few headers deep pay for that with clock cycles, so 100g -> 400g ->
> 1tbps interfaces are less and less likely to see further into the packet(s).

Yes. The IPv6 header was designed so that all the information needed for
*forwarding* was at the front. The extension headers were designed on
the assumption that they would be analysed by a CPU, not by an ASIC
or FPGA, so that the linked-list model seemed fine.

I think people believed that endpoints would take over DPI
filtering: https://www.cs.columbia.edu/~smb/papers/distfw.pdf

    Brian
 
>> What some of us would like to see is a statement in the draft that it's
>> just fine to operate this way (Christian Huitema made that suggestion
>> earlier in this thread, and so did I in my detailed last-call comments).
>>
>>
> oh, good. I like that idea... noting that: "makes filtering bad traffic
> pretty impossible" though.
> 
> 
>> Mike Heard
>>
>

v2.23.0 | Report a Bug | By Email