Re: [Tsv-art] [v6ops] [Last-Call] Tsvart last call review of draft-ietf-v6ops-ipv6-ehs-packet-drops-05

Fernando Gont <> Sun, 21 February 2021 09:39 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5CA203A18F1; Sun, 21 Feb 2021 01:39:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id w5NZyPln4wbV; Sun, 21 Feb 2021 01:39:47 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A3AFE3A18B7; Sun, 21 Feb 2021 01:39:17 -0800 (PST)
Received: from [IPv6:2800:810:464:2b9:a5f3:43ef:575c:2a1c] (unknown [IPv6:2800:810:464:2b9:a5f3:43ef:575c:2a1c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 663E328095B; Sun, 21 Feb 2021 09:39:09 +0000 (UTC)
To: Tom Herbert <>
Cc: Brian E Carpenter <>, Gorry Fairhurst <>,,,, IPv6 Operations <>
References: <> <> <> <> <> <> <>
From: Fernando Gont <>
Message-ID: <>
Date: Sun, 21 Feb 2021 03:56:59 -0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.1
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [Tsv-art] [v6ops] [Last-Call] Tsvart last call review of draft-ietf-v6ops-ipv6-ehs-packet-drops-05
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Review Team <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 21 Feb 2021 09:39:57 -0000

Hello, Tom,

On 20/2/21 12:32, Tom Herbert wrote:
> On the other hand, there are use cases where it does work and is in
> deployment; in fact, there are use cases where it's the *only* way to
> do in flow classification on packets. The implicit requirement of this
> draft here is that packets have port numbers in plain text, however
> that is not possible in no-first fragments, tunnel mode IPsec,
> tunnling protocols the routers don't understand, etc.

What we describe in our document is how this applies to the general 
case, and what the operational reality indicates.

For virtually anything, you can always find a scenario where things work.

> With regards to extension headers, the presumed problem isn't that the
> port numbers are present, it's that some, not all, routers have
> limited capabilities to parse over EHs to find the transport headers.

That's a fact, rather than a presumption.

> This is reflected in the statement: "If an IPv6 header chain is
> sufficiently long that it exceeds the packet look-up capacity of the
> router, the router might be unable to determine how the packet should
> be handled, and thus could resort to dropping the packet." It's not to
> me clear what "sufficiently long" means; in particular, such a
> statement isn't helpful to the host stack developer trying to figure
> out if the packets they're creating will be properly forwarded.

"Long enough" for the router handling the packet. There are different 
vendors, and different models. S the specific value will vary across 
router vendors and models. In our document, we reference two sample 
values -- but they are certainly not the only ones.

> For
> the purpose of providing use guidance to the host stack developers,
> can you please clarify exactly what "sufficiently long" is?  For
> instance, is it reasonable to expect that modern routers should be
> able forward packets that contain sixty-four bytes of Destination
> Options, or Routing Header, or HBH Options?

That's out of the scope of this document. That said, RFC7872 might help 
to answer such question.

> Note that RFC8504 and
> RFC8883 do discuss processing limits being exceeded in terms of the
> protocol considerations (in fact, RFC8504 recommends a specific
> default limits on the maximum number of HBH and DestOpt options a host
> will process in order to mitigate the "DoS due to processing
> requirements" issue raised in 7.4 of this draft).

The possibility of DoS is simply described as one of the possible 
implications of EHs. As noted in the document, while there might be 
filtering policies employed to mitigate DoS attacks, in many cases 
routers resort to dropping packets containing EHs because they prevent 
the router from accessing layer-4 information the router may need to 
process to decide what to do with the packet.

Fernando Gont
SI6 Networks
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492