IETF Logo Mail Archive

Re: [Tsv-art] [OPSEC] Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06

Jared Mauch <jared@puck.nether.net> Fri, 07 December 2018 00:44 UTC

Return-Path: <jared@puck.nether.net>
X-Original-To: tsv-art@ietfa.amsl.com
Delivered-To: tsv-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4925131284; Thu, 6 Dec 2018 16:44:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QV06ogakxfoy; Thu, 6 Dec 2018 16:43:59 -0800 (PST)
Received: from puck.nether.net (puck.nether.net [IPv6:2001:418:3f4::5]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 499C8131264; Thu, 6 Dec 2018 16:43:54 -0800 (PST)
Received: from [IPv6:2603:3015:3606:cbe1:d96:a9a:20d2:74d1] (unknown [IPv6:2603:3015:3606:cbe1:d96:a9a:20d2:74d1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by puck.nether.net (Postfix) with ESMTPSA id 7F4F2540517; Thu, 6 Dec 2018 19:43:52 -0500 (EST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
From: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <a31ce8c4-745e-695e-b076-9a0801091c7b@gmail.com>
Date: Thu, 06 Dec 2018 19:43:51 -0500
Cc: Gert Doering <gert@space.net>, IETF-Discussion Discussion <ietf@ietf.org>, draft-ietf-opsec-ipv6-eh-filtering.all@ietf.org, OPSEC <opsec@ietf.org>, Christian Huitema <huitema@huitema.net>, tsv-art <tsv-art@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <5FAF0628-A2B0-4AD6-A5B5-4B472F812C70@puck.nether.net>
References: <F17C4944-09EC-4AAC-84A0-B660E36AAE89@strayalpha.com> <20181205133821.GL1543@Space.Net> <B6280E0C-6B20-43C1-BB34-170FB06F1EF7@strayalpha.com> <20181205135723.GN1543@Space.Net> <54C715AE-8931-4FA9-AA01-2311EB0055F0@employees.org> <20181205164558.GQ1543@Space.Net> <CCFEFC5B-53AE-4079-B64A-A72A71274FAD@employees.org> <20181205180855.GR1543@Space.Net> <6b9dac4f-4d57-7778-bbbe-78ebe399962f@huitema.net> <b7225a00-4e36-2659-ecf9-354a7fb32a9b@gmail.com> <20181206091314.GC1543@Space.Net> <a31ce8c4-745e-695e-b076-9a0801091c7b@gmail.com>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
X-Mailer: Apple Mail (2.3445.102.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsv-art/vPZc8sPh_Ou4WR9sAXxy1tXslXk>
Subject: Re: [Tsv-art] [OPSEC] Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06
X-BeenThere: tsv-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Review Team <tsv-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsv-art/>
List-Post: <mailto:tsv-art@ietf.org>
List-Help: <mailto:tsv-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Dec 2018 00:44:08 -0000


> On Dec 6, 2018, at 5:05 PM, Brian E Carpenter <brian.e.carpenter@gmail.com> wrote:
> 
> Gert,
> 
> On 2018-12-06 22:13, Gert Doering wrote:
>> Hi,
>> 
>> On Thu, Dec 06, 2018 at 01:48:29PM +1300, Brian E Carpenter wrote:
>>> And I don't think that is an oversight. The *definition* of "router"
>>> for IPv6 is "a node that forwards IPv6 packets not explicitly addressed
>>> to itself." No mention of filtering, classification, admission control,...
>> 
>> This definition of a router is nice, but such a device will not be 
>> useful in today's Internet.
> 
> Are you saying that *every* router in a carrier network needs to
> perform filtering? I would have thought that this would be done
> where necessary, but intentionally avoided elsewhere, to reduce
> energy consumption and improve throughput. Anyway…

Depends on how you build your network, but yes, every router needs to
perform filtering and you want it done in hardware as well.

>> What do you want this draft to be?  Theoretically beautiful, or useful
>> for people operating outside a closed and well-controlled network?
> 
> I wasn't actually thinking about this draft; I was just trying to make
> the (obvious) point that IPv6 was designed a certain way and that is
> what the IPv6 standards track documents deal with. This draft is directed
> at the operational community and I fully agree with you that it needs
> to match operational reality as much as possible. (My issues with the
> draft were fixed before it moved to IETF Last Call.)

We learned in the late 90s and early 2000’s about the problems of
processing things like IP options and their complexity.  Most providers
turn off or filter these as they are a risk to the control plane of the
device and there could be loss of control of the device due to the CPU
being consumed with these packets.  You can’t have a few hundred gigs
Of traffic going to the CPU, no matter what scale you think the router
is.

	- Jared

v2.23.0 | Report a Bug | By Email