IETF Logo Mail Archive

Re: [Tsv-art] [OPSEC] Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06

"Smith, Donald" <Donald.Smith@CenturyLink.com> Thu, 06 December 2018 18:00 UTC

Return-Path: <Donald.Smith@CenturyLink.com>
X-Original-To: tsv-art@ietfa.amsl.com
Delivered-To: tsv-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF7D9130EE9; Thu, 6 Dec 2018 10:00:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4N-MtJof5_ot; Thu, 6 Dec 2018 10:00:25 -0800 (PST)
Received: from lxdnp29m.centurylink.com (lxdnp29m.centurylink.com [155.70.32.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B732130E4E; Thu, 6 Dec 2018 10:00:25 -0800 (PST)
Received: from lxdnp04n.corp.intranet (lxdnp04n.corp.intranet [151.119.92.83]) by lxdnp29m.centurylink.com (8.14.8/8.14.8) with ESMTP id wB6I044D014695 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Thu, 6 Dec 2018 11:00:04 -0700
Received: from lxdnp04n.corp.intranet (localhost [127.0.0.1]) by lxdnp04n.corp.intranet (8.14.8/8.14.8) with ESMTP id wB6Hxxf0015367; Thu, 6 Dec 2018 10:59:59 -0700
Received: from lxomp07u.corp.intranet (lxdnp23m.corp.intranet [151.119.92.134]) by lxdnp04n.corp.intranet (8.14.8/8.14.8) with ESMTP id wB6HxxpN015360 (version=TLSv1/SSLv3 cipher=AES256-SHA256 bits=256 verify=NO); Thu, 6 Dec 2018 10:59:59 -0700
Received: from lxomp07u.corp.intranet (localhost [127.0.0.1]) by lxomp07u.corp.intranet (8.14.8/8.14.8) with ESMTP id wB6Hxw7J009905; Thu, 6 Dec 2018 11:59:58 -0600
Received: from vddcwhubex501.ctl.intranet (vddcwhubex501.ctl.intranet [151.119.128.28]) by lxomp07u.corp.intranet (8.14.8/8.14.8) with ESMTP id wB6HxwSo009891 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Thu, 6 Dec 2018 11:59:58 -0600
Received: from PDDCWMBXEX503.ctl.intranet ([fe80::9033:ef22:df02:32a9]) by vddcwhubex501.ctl.intranet ([151.119.128.28]) with mapi id 14.03.0399.000; Thu, 6 Dec 2018 10:59:58 -0700
From: "Smith, Donald" <Donald.Smith@CenturyLink.com>
To: Gert Doering <gert@space.net>, Joe Touch <touch@strayalpha.com>
CC: ietf <ietf@ietf.org>, "draft-ietf-opsec-ipv6-eh-filtering.all@ietf.org" <draft-ietf-opsec-ipv6-eh-filtering.all@ietf.org>, Nick Hilliard <nick@foobar.org>, OPSEC <opsec@ietf.org>, Christian Huitema <huitema@huitema.net>, tsv-art <tsv-art@ietf.org>, Brian E Carpenter <brian.e.carpenter@gmail.com>
Thread-Topic: [OPSEC] [Tsv-art] Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06
Thread-Index: AQHUhNdCbiFCjL0JakC1wd59pxI7xKVhWRaAgAAQqYCAAJBDgIAALRcAgA/pX8g=
Date: Thu, 06 Dec 2018 17:59:58 +0000
Message-ID: <68EFACB32CF4464298EA2779B058889D53E5B552@PDDCWMBXEX503.ctl.intranet>
References: <C4886ABA-3BBE-46AE-B2D9-9A6836D7A8BB@strayalpha.com> <2c28d4ac-87de-bcaf-54e8-4e745235c800@gmail.com> <977CA53D-7F72-4443-9DE2-F75F7A7C1569@strayalpha.com> <d6deb7af-99dd-9013-2722-8ebbe00c0b37@si6networks.com> <1CB13135-D87A-4100-8668-D761058E1388@strayalpha.com> <0f56c25d-7ac7-e534-4e2c-cc09f5154e77@foobar.org> <28EDE667-457E-4AED-8480-F27ECAA8E985@strayalpha.com> <6bd1ec94-f420-1f4c-9254-941814704dbb@gmail.com> <6be84ccf-9a72-2694-e19d-fa19043a0cb1@huitema.net> <4C249487-BD58-41BB-B8B6-081323E29F6C@strayalpha.com>, <20181126075746.GO72840@Space.Net>
In-Reply-To: <20181126075746.GO72840@Space.Net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [151.119.128.8]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-TM-AS-MML: disable
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsv-art/GF-8iQsS4R2g8lemUwwEZYvpORA>
Subject: Re: [Tsv-art] [OPSEC] Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06
X-BeenThere: tsv-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Review Team <tsv-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsv-art/>
List-Post: <mailto:tsv-art@ietf.org>
List-Help: <mailto:tsv-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Dec 2018 18:00:30 -0000

Perhaps we should push for some research to evaluate the actual impact?

This is the only study I know that did something like that. It was limited to a single router and is 2 years or so old.


http://www.macrothink.org/journal/index.php/npa/article/viewFile/10190/8493

"The maximum traffic rate was reached
with packets of 1518 Bytes and IPv4 protocol, and it decreases with the use of IPv6 protocol.
The router reaches higher performance when work with IPv4 traffic. The CPU usage
increases with the increase of IPv6 traffic. The use of ACL in IPv4 traffic the CPU usage rises
from 6.5% without ACL to 15% with ACL (8.5%) while for IPv6 goes from 67.5% to 82.5%,
15%, the double. The maximum traffic rate falls 1.54 Mbps by the use of ACL in IPv4 and
27.14 Mbps in IPv6. With IPv4 the router is able to support bidirectional traffic without
decrease the maximum traffic rate, compared with unidirectional traffic. But for IPv6 in
bidirectional traffic the maximum traffic rate is lower than for unidirectional traffic in the
same conditions. The use of REH in the traffic supposes an increment of the CPU usage; this
increment depends on the packets per second of the data flow. "


if (initial_ttl!=255) then (rfc5082_compliant==0)
Donald.Smith@centurylink.com

________________________________________
From: OPSEC [opsec-bounces@ietf.org] on behalf of Gert Doering [gert@space.net]
Sent: Monday, November 26, 2018 12:57 AM
To: Joe Touch
Cc: ietf; draft-ietf-opsec-ipv6-eh-filtering.all@ietf.org; Nick Hilliard; OPSEC; Christian Huitema; tsv-art; Brian E Carpenter
Subject: Re: [OPSEC] [Tsv-art] Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06

Hi,

On Sun, Nov 25, 2018 at 09:16:23PM -0800, Joe Touch wrote:
> I.e., most of the analysis in this document is flat out incorrect in assuming that merely because a packet could cause a router to do work that it is a security risk to handle that packet as intended.

And then IETF wonders why operators do not feel like time spent on
providing their input to IETF WGs is well-spent.

What else can it be, on a real-world device, in today's Internet?

Gert Doering
        -- Operator
--
have you enabled IPv6 on something today...?

SpaceNet AG                      Vorstand: Sebastian v. Bomhard, Michael Emmer
Joseph-Dollinger-Bogen 14        Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                 HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444         USt-IdNr.: DE813185279

_______________________________________________
OPSEC mailing list
OPSEC@ietf.org
https://www.ietf.org/mailman/listinfo/opsec
This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.

v2.23.0 | Report a Bug | By Email