IETF Logo Mail Archive

[Tsv-art] ECMP [Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06]

Brian E Carpenter <brian.e.carpenter@gmail.com> Thu, 06 December 2018 00:34 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: tsv-art@ietfa.amsl.com
Delivered-To: tsv-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5999130DC8; Wed, 5 Dec 2018 16:34:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zT0Ks8f_3jX9; Wed, 5 Dec 2018 16:34:42 -0800 (PST)
Received: from mail-pl1-x629.google.com (mail-pl1-x629.google.com [IPv6:2607:f8b0:4864:20::629]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C4B1E127332; Wed, 5 Dec 2018 16:34:41 -0800 (PST)
Received: by mail-pl1-x629.google.com with SMTP id k8so10871901pls.11; Wed, 05 Dec 2018 16:34:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=x7y/LO2ZdOIF7LTihtC5RpjTLAmIQRdYHHgHdcRD0zU=; b=ptfeqzb+YmcvsWBadKflHKOStOJbnAY48fjpNbwY6nu/qiL44EH+ZoP2kGmVgdU8JZ LxMh4pHhjqJrjF0fWZcrwSeaxTDOyUdVajkaYs/YaaA9DHGcKmkZfCtNtNjnS6wxtTCH u4XTp7yLCaTDr6CIkUtQk32Rus38nYf2uYZEEVdfykSbm1K1dx4XDm7dJLvbyPkRCL6h Oy88+AICa+iZNZVTy8etNva2syNUzReTF1R5kVlQdB+Bs3+JdtkHqZilQn7rxwlssxV1 AQqH1RclUEzimUICHNpRoaErnm2vzehqBbJ1ZYQnhVB39Ip2hQ2cjXGWjV5d0U+Gv5cH AunQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=x7y/LO2ZdOIF7LTihtC5RpjTLAmIQRdYHHgHdcRD0zU=; b=YrXGLmQAAtDuvixvGYCXsh26kR/4ZgeWh0AN15NTrinfTbKZU2mGSJyevv8EJ3aLIt 9Cn1uiONtvmDcHj43QSvT7vNjSUX7XQzgw0/6hXBXcafVfat3oBPOrPLcKu4/Uz+YTQl ZUnEupvnVrjwv0oPnww/ozAj6i5Nbj9Mr0rvJKOtI4nAOZWtMkfvWAPdiClvaDl5ec5z qUDNjRTExNKxrs4Pi6b8wRX20Z8oWBg+1Ln3GbmNKlvlzmzlRaDpCarXWcNWOl+hVrw9 40w1EQePW3aCVgpxrX5YUOjaahmtFMWSrrdq8qbp3Cg6x9xVMdvR52yVtEIO/eU4fXsB 76cg==
X-Gm-Message-State: AA+aEWYtmR9y4lQGFjxOJ1wi2zsi7v2/1UHh0BZ89VNihY3XQN5xTIbr /9PNH4l2LwO74Egutc8rI0FLt/uNsWY=
X-Google-Smtp-Source: AFSGD/XkACAiWWnU1f4f6+M23kaZI/Cg2XmvnncCz7SfImylaUGARBXt+lgT8K9HPSRYVZYgxSXkDg==
X-Received: by 2002:a17:902:5a0b:: with SMTP id q11mr26535707pli.186.1544056480986; Wed, 05 Dec 2018 16:34:40 -0800 (PST)
Received: from [192.168.178.30] ([118.148.76.40]) by smtp.gmail.com with ESMTPSA id r12sm21297432pgv.83.2018.12.05.16.34.37 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 05 Dec 2018 16:34:40 -0800 (PST)
To: Stewart Bryant <stewart.bryant@gmail.com>, Ole Troan <otroan@employees.org>, Gert Doering <gert@space.net>
Cc: tsv-art <tsv-art@ietf.org>, OPSEC <opsec@ietf.org>, IETF-Discussion Discussion <ietf@ietf.org>, draft-ietf-opsec-ipv6-eh-filtering.all@ietf.org
References: <CAL9jLaYHVdHr+rVoWeNtXTXgLxbTaX8V9gn3424tvsLW60Kvow@mail.gmail.com> <5E70C208-0B31-4333-BB8C-4D45E678E878@isc.org> <CAN-Dau0go6_Puf0A9e7KBpk0ApJBUvcxYtezxnwNc-8pKJ3PwQ@mail.gmail.com> <4D69FA8E-FB8A-4A16-9CA6-690D8AE33C9E@strayalpha.com> <20181205122142.GJ1543@Space.Net> <F17C4944-09EC-4AAC-84A0-B660E36AAE89@strayalpha.com> <20181205133821.GL1543@Space.Net> <B6280E0C-6B20-43C1-BB34-170FB06F1EF7@strayalpha.com> <20181205135723.GN1543@Space.Net> <54C715AE-8931-4FA9-AA01-2311EB0055F0@employees.org> <20181205164558.GQ1543@Space.Net> <CCFEFC5B-53AE-4079-B64A-A72A71274FAD@employees.org> <cda0e10e-a56d-4598-dcd4-eabeeac52fb0@gmail.com>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Message-ID: <a1b478a7-4396-3d9e-0282-c8c66250526c@gmail.com>
Date: Thu, 06 Dec 2018 13:34:34 +1300
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.3.2
MIME-Version: 1.0
In-Reply-To: <cda0e10e-a56d-4598-dcd4-eabeeac52fb0@gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsv-art/JIIbPu2IXJp77b_6MomXshLx_po>
Subject: [Tsv-art] ECMP [Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06]
X-BeenThere: tsv-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Review Team <tsv-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsv-art/>
List-Post: <mailto:tsv-art@ietf.org>
List-Help: <mailto:tsv-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Dec 2018 00:34:45 -0000

On 2018-12-06 07:08, Stewart Bryant wrote:
> 
> 
> On 05/12/2018 17:57, Ole Troan wrote:
>>>>> Chained EHs are a relict from a time when everybody was nice and
>>>>> cooperative, bandwith was sparse, routers used CPUs to forward packets,
>>>>> and money came from governments to research networks in huge amounts.
>>> [..]
>>>> This is the exact reason we have layering in the Internet protocols.
>>>> IPv6 routers are not meant to parse further into packets then the IPv6 header (with one exception (1)).
>>>>
>>>> That network devices find it hard to parse deep into user???s traffic is a feature.
>>>> I find the argument that we should then change upper layer protocols to accommodate that, hard to digest.
>>> Ole, you've worked for a vendor long enough, and understand terms like
>>> "rate limiting" and "hardware”.
>> You are creating the “perceived” security problem yourself, by requiring processing deeper into the packet than is required.
>> Just comply with RFC8200. As long as a router is not configured to process any HBH options, it can ignore the header.
>> You seem to think HBH still means “punt to software”. If it ever meant that.
>>
>> There’s no need for rate-limiting for not processing HBH obviously.
> Of course it still needs to step through them all to do ECMP even if 
> they are all disabled. 

No it doesn't. That's what the flow label, in a fixed position early in the IPv6 header, is for. A line speed IPv6 router has no need to look at the layer 4 header, even if it's doing both diffserv and ECMP. Looking at transport headers is an IPv4 concept.

The topic here is not really IPv6 routers. It's devices whose job in life includes filtering. They might also be routers.

> Of course here it is only looking for two values 
> (TCP or UDP).

You too just killed SCTP ;-)

> If it has to look at any it has a much more complex set of tests, or a 
> large vector table  given the way the EH space is fragmented.

Frankly doing it without a network processor seems wrong. You can't expect
an ASIC or FPGA based device to handle the EH structures.

    Brian

v2.23.0 | Report a Bug | By Email