IETF Logo Mail Archive

Re: [Tsv-art] ECMP [Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06]

Brian E Carpenter <brian.e.carpenter@gmail.com> Thu, 06 December 2018 22:16 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: tsv-art@ietfa.amsl.com
Delivered-To: tsv-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 613081311D9; Thu, 6 Dec 2018 14:16:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ulm0VgoS6zT8; Thu, 6 Dec 2018 14:16:32 -0800 (PST)
Received: from mail-pl1-x62e.google.com (mail-pl1-x62e.google.com [IPv6:2607:f8b0:4864:20::62e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 150A2130F4D; Thu, 6 Dec 2018 14:16:32 -0800 (PST)
Received: by mail-pl1-x62e.google.com with SMTP id w4so824185plz.1; Thu, 06 Dec 2018 14:16:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=XjjU7sKLClkbGTBPwy286BRU6MRh25bn89efqpBEPto=; b=PH7xlwuA2Sw4KrqDeTntULd7Sti+8OK8cHbpEb1Uw2S9yeC36XORCvL761JL/lOIjR m5ZSK6klgavZwcy+pjHvjESwx8ggTXdXsqwavhndnKlBgr/duNeq9t60WMTv5Au/+vZF nGzm0gI2GsUm/6uigr+366abJn8UXoDYCGtvMNmuJVDlaVrder4GgXInWloIbCin79Fp ZDATMJtqYkVkvNuYiDWhW+RaXxASiDlJEJZXbgL36gmCrD1dlmNKTV3/H++IT3BJSWMz g5pD/sQUGUC7futeZt4f/syy8olgHKNAseA/NnwORcBM1aj+E73xqocqok7mOcxYzPQa ve+Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=XjjU7sKLClkbGTBPwy286BRU6MRh25bn89efqpBEPto=; b=sboQfKL+/d9EZtI6SJBBbqO3A2uzM/AE+blNT+q3EmB4OVFw9TzTNVzb/q9RPZrT37 pFZSg/wksOuBJT8lkz9PWD1Y5briYmguxfJqF3FaXonbMIz6pwSUL90R+EHPtWCA9sIA i0nSws9qyFiN+ZTEh0m++BqQasPUFbpQQcqu7QhDt0hfx36HjY4/2mMJ9b4bn0ACJ38p /fb6lvp4MldgBiWP5x5Rj7Yuv/U04bSVRRQ8njdEzxYEWhON7C8l65OuzTfaqN2IGEGW Xn9yVqa2NPDHCdC4gVDaD1yiTjdCkgk3XR0kcgEpwmjbSL2t9zyZesmaRJ2pFVggV+eP p8cw==
X-Gm-Message-State: AA+aEWYIgJEdJ4b69IJmpy3VX84XNwPSq3TBF5qNWtZidF9ceHC/JzTD RuRec2fLgsMA77CciwiokA085HBOj4g=
X-Google-Smtp-Source: AFSGD/WrEjmB5+X1fYInJH1r/MsSuMmzXfElJdxGT3sfKI42K+6loDy5m455GliBXw9Mnr7jYqCAkQ==
X-Received: by 2002:a17:902:82c2:: with SMTP id u2mr29918075plz.110.1544134591346; Thu, 06 Dec 2018 14:16:31 -0800 (PST)
Received: from [192.168.178.30] ([118.148.76.40]) by smtp.gmail.com with ESMTPSA id 78sm1671370pft.184.2018.12.06.14.16.28 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 06 Dec 2018 14:16:30 -0800 (PST)
To: Nick Hilliard <nick@foobar.org>
Cc: tsv-art <tsv-art@ietf.org>, OPSEC <opsec@ietf.org>, IETF-Discussion Discussion <ietf@ietf.org>, draft-ietf-opsec-ipv6-eh-filtering.all@ietf.org
References: <CAL9jLaYHVdHr+rVoWeNtXTXgLxbTaX8V9gn3424tvsLW60Kvow@mail.gmail.com> <5E70C208-0B31-4333-BB8C-4D45E678E878@isc.org> <CAN-Dau0go6_Puf0A9e7KBpk0ApJBUvcxYtezxnwNc-8pKJ3PwQ@mail.gmail.com> <4D69FA8E-FB8A-4A16-9CA6-690D8AE33C9E@strayalpha.com> <20181205122142.GJ1543@Space.Net> <F17C4944-09EC-4AAC-84A0-B660E36AAE89@strayalpha.com> <20181205133821.GL1543@Space.Net> <B6280E0C-6B20-43C1-BB34-170FB06F1EF7@strayalpha.com> <20181205135723.GN1543@Space.Net> <54C715AE-8931-4FA9-AA01-2311EB0055F0@employees.org> <20181205164558.GQ1543@Space.Net> <CCFEFC5B-53AE-4079-B64A-A72A71274FAD@employees.org> <cda0e10e-a56d-4598-dcd4-eabeeac52fb0@gmail.com> <a1b478a7-4396-3d9e-0282-c8c66250526c@gmail.com> <f86a07c8-c421-56db-005c-4db3ce4f3fe0@gmail.com> <3744b28c-3a5a-1ce4-9ff7-5374804d332e@gmail.com> <35277330-4743-4690-8ae0-9a9ab7e34f05@foobar.org>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Message-ID: <3a182a82-b933-2d9b-52a8-24805717879b@gmail.com>
Date: Fri, 07 Dec 2018 11:16:25 +1300
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.3.2
MIME-Version: 1.0
In-Reply-To: <35277330-4743-4690-8ae0-9a9ab7e34f05@foobar.org>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsv-art/Gtf-2Q5Kt_mvpYoNhNhV4pyA5Rc>
Subject: Re: [Tsv-art] ECMP [Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06]
X-BeenThere: tsv-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Review Team <tsv-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsv-art/>
List-Post: <mailto:tsv-art@ietf.org>
List-Help: <mailto:tsv-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Dec 2018 22:16:35 -0000

On 2018-12-07 11:02, Nick Hilliard wrote:
> Brian E Carpenter wrote on 06/12/2018 20:35:
>> But there's a preliminary question: how widely is the flow label set
>> by sending hosts? The answer is: widely, by modern o/s releases. But not
>> much, by legacy o/s releases.
> 
> more to the point, if you were going to implement a forwarding device, 
> do you depend solely on the flow label?
> 
> This gives end-user device control over the hashing path on a purely 
> discretionary basis.  I.e. and end user can change the flow label and 
> consequently make their own decisions about which network path to use, 
> without affecting any other transmission characteristic of the network 
> flow, e.g. port numbers, IP addresses, etc.

Well, ECMP would be based on the {dest, srce, flow_label} 3-tuple so
it's only the layer 4+ info that's missing. That will be missing anyway
when encryption takes over. And any source that plays silly games
with the flow label will damage its own users more than it damages
the network.

> Operationally, flow labels can cause grief.  APNIC had a blog posting on 
> this a while back
> 
> https://blog.apnic.net/2018/01/11/ipv6-flow-label-misuse-hashing/

By Joel J, who generally knows what he's talking about.

"By in large, this flow label changing behaviour has been traced to IPv6 supporting CPE/firewalls, which change the flow label between the initial syn and the ack."

Broken middleboxes can prevent anything from working properly.
 
> Most devices allow the operator to selectively use flow labels as an 
> entropy source for hashing.

And that's progress. Again, the flow label is a long-term play that
will become more important as encryption becomes more of a factor.

   Brian

v2.23.0 | Report a Bug | By Email