IETF Logo Mail Archive

Re: [Tsv-art] Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06

Christopher Morrow <morrowc.lists@gmail.com> Wed, 05 December 2018 03:57 UTC

Return-Path: <christopher.morrow@gmail.com>
X-Original-To: tsv-art@ietfa.amsl.com
Delivered-To: tsv-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 22B8C130DD2; Tue, 4 Dec 2018 19:57:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9OT900Z8wTNl; Tue, 4 Dec 2018 19:57:56 -0800 (PST)
Received: from mail-it1-x12b.google.com (mail-it1-x12b.google.com [IPv6:2607:f8b0:4864:20::12b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 770C5130DCC; Tue, 4 Dec 2018 19:57:56 -0800 (PST)
Received: by mail-it1-x12b.google.com with SMTP id c9so18165829itj.1; Tue, 04 Dec 2018 19:57:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ReYToVRUQtEbbHOEub9Tv7rGregMvQA635yuC+iiV2g=; b=qnJGdLEMNBeghQpDS6cbwpEIk1kJQXeKHPlpO9c8347B9Mn8+dogazbWHXrJEYSZ1K HCjzTIWrgAu82Wee5JJtr3MS+8OGB1rAdGmvVb9BDoKj9Hwy4cLI8o5sGcYWTscDd0/V 9oXcpAr+ttWbhvyfPN5i73brh8P18z0ZUwZ+wXpo17ZxH+ZCILVWOHd5uQEpLGFdZECH JOGgknx5RQyY2JHp+qraWHCm8lnzJ7tHKRqlMtG3GBie91Qn9K52WyKWV4cVwO8vCZzG YdCrV0FjxIYNEEiNHasa/+cpDMfl2K4VNUJ472mpJyV9g/d3h+SCVtd5Qw50f54jFHoT J7tQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ReYToVRUQtEbbHOEub9Tv7rGregMvQA635yuC+iiV2g=; b=kBmrV2sm4itycvC8Ta3mlFyw30UueCdHnxl4Qn/G+D2ygO8yRIBAuONSpoxkhU3HlY 0g58R9FQdE+lnM9mNG5FRn56bdS+wos1dO1UiMHQO9knxyTzHM/WyW6P1WdR20iwmc0q r0OWxsaDExbNYmfw2bCD+kNMSYnvQGmKEsaYsNj65zw0AxvMJ1Fc57ij1TtWoOrjJRUk Fd2rPKmnrPTfXychBp8ZQ/RV7U5iTaN9W+e8cnUgkTOsQ4GxZgvzQkOAsklkYD5JJA38 bzNzKrjOVmTaIrjrxTLsBFjJSPZRoH2Fj97XyxA6iMblGnKPFseQ1tQQsxx7EhVeBpYk Sc8A==
X-Gm-Message-State: AA+aEWZ3O4UpDWcWB3RxNRr+X/ewmDJ4Th7VmGRUGAuUlq0BPvJlqACl vVx1fQw/ywLLUj7e3zDzxcPXdTyJ5DGHcTST7H8=
X-Google-Smtp-Source: AFSGD/U42R0SpZSixetMGJd4o5zym0L4vUW7i3KWlSF2ZRjrZ12HpnkQ6pH9uuRljHuHVXsRB76+uHLV226bOyMQCPU=
X-Received: by 2002:a24:32c5:: with SMTP id j188mr13695385ita.139.1543982275487; Tue, 04 Dec 2018 19:57:55 -0800 (PST)
MIME-Version: 1.0
References: <CACL_3VGeJPzDhS0RVAvpQs9W8b4EODft-qJRwBD6Xxm+X6BZ6A@mail.gmail.com> <CAL9jLabK0bZz2nki=oFNHT0OrpVAB8pw7emAj2BtkHRCzkfmqQ@mail.gmail.com> <cf64abbf-e447-71e3-b983-4e525cc139aa@gmail.com>
In-Reply-To: <cf64abbf-e447-71e3-b983-4e525cc139aa@gmail.com>
From: Christopher Morrow <morrowc.lists@gmail.com>
Date: Tue, 04 Dec 2018 22:57:43 -0500
Message-ID: <CAL9jLaYMRDGFa7Qzj4ukRV1FPbJM40qbuZ34SYxoA30Z+h3EWw@mail.gmail.com>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
Cc: heard@pobox.com, ietf <ietf@ietf.org>, draft-ietf-opsec-ipv6-eh-filtering.all@ietf.org, opsec wg mailing list <opsec@ietf.org>, tsv-art@ietf.org
Content-Type: multipart/alternative; boundary="00000000000011f1ad057c3e635c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsv-art/U8KeQg-kLl7SPlWO_reqgT9r-n0>
Subject: Re: [Tsv-art] Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06
X-BeenThere: tsv-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Review Team <tsv-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsv-art/>
List-Post: <mailto:tsv-art@ietf.org>
List-Help: <mailto:tsv-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Dec 2018 03:57:59 -0000

On Tue, Dec 4, 2018 at 7:56 PM Brian E Carpenter <
brian.e.carpenter@gmail.com> wrote:

> On 2018-12-05 12:23, Christopher Morrow wrote:
> > On Tue, Dec 4, 2018 at 5:56 PM C. M. Heard <heard@pobox.com> wrote:
> >
> >> On Tue, 4 Dec 2018 15:17:33 -0500 Christopher Morrow wrote:
> >>> A solution might be to have a mode where  a router may just ignore all
> >>> headers except the src/dst-ip and simply forward all packets, trusting
> >>> that the conversing adults will sort out problems with unknown/new/
> >>> experimental headers or with a tortured ordering of headers (for
> >>> instance).
> >>
> >> Glad to hear you say that, because that's exactly what RFC 7045
> >> envisions as the default forwarding behavior:
> >>
> >>
> > I'm glad I'm not too nuts :)
> >
> >
> >>    Any forwarding node along an IPv6 packet's path, which forwards the
> >>    packet for any reason, SHOULD do so regardless of any extension
> >>    headers that are present [...]
> >>
> >>
> > this does mean that: "please filter the flarbly protocol traffic,
> eh-1234"
> > is going to be very hard to do in the network.
>
> Yes. But extension headers were explicitly defined to be from end system
> to end system, not for middleboxes. So that difficulty was designed in.
>
>
sure, that's all well an good, but when 1mpps of eh-1234 show up on your
door... uhm, you're going to want "relief" :)
speaking from experience ... you really will want your
ISP/carier/transit/peer to help you NOT get lit on fire.
Them saying: "Well I COULD do that... but ... no, sorry I'm just the bit
carrier, have fun!"
is going to go 'not well' (again, having had this conversation, though not
about ipv6 extension headers).


> >> Recognizing that processing of Hop-by-Hop Options in the fast path is
> >> costly, RFC 8200 formally dropped the requirement for every router to
> >> process them by default:
> >>
> >>    NOTE: While [RFC2460] required that all nodes must examine and
> >>    process the Hop-by-Hop Options header, it is now expected that nodes
> >>    along a packet's delivery path only examine and process the
> >>    Hop-by-Hop Options header if explicitly configured to do so.
> >>
> >>
> > it's important to note that some platforms can't look beyond a certain
> > number of headers, and that ordering of the headers us up to the src,
> which
> > when they are being mean is ... bad :( Even platforms that can look more
> > than a few headers deep pay for that with clock cycles, so 100g -> 400g
> ->
> > 1tbps interfaces are less and less likely to see further into the
> packet(s).
>
> Yes. The IPv6 header was designed so that all the information needed for
> *forwarding* was at the front. The extension headers were designed on
> the assumption that they would be analysed by a CPU, not by an ASIC
> or FPGA, so that the linked-list model seemed fine.
>
> I think people believed that endpoints would take over DPI
> filtering: https://www.cs.columbia.edu/~smb/papers/distfw.pdf
>
>
HA! ok. As gert/nick noted ... we have Nx100G links today (at the edge) and
coming nx400G ... there's just not a reasonable story for "dpi" there. (I
suppose: "yet" and "without paying the approximate value Coca-Cola
Companies yearly advertising budget")

-chris


>     Brian
>
> >> What some of us would like to see is a statement in the draft that it's
> >> just fine to operate this way (Christian Huitema made that suggestion
> >> earlier in this thread, and so did I in my detailed last-call comments).
> >>
> >>
> > oh, good. I like that idea... noting that: "makes filtering bad traffic
> > pretty impossible" though.
> >
> >
> >> Mike Heard
> >>
> >
>

v2.23.0 | Report a Bug | By Email