IETF Logo Mail Archive

Re: [tsvwg] UDP Options: on forcing the use of UDP CS=0 in connection with FRAG+LITE

Tom Herbert <tom@herbertland.com> Fri, 28 June 2019 21:31 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12F4312095E for <tsvwg@ietfa.amsl.com>; Fri, 28 Jun 2019 14:31:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bGR_VHslKSfk for <tsvwg@ietfa.amsl.com>; Fri, 28 Jun 2019 14:30:59 -0700 (PDT)
Received: from mail-ed1-x52e.google.com (mail-ed1-x52e.google.com [IPv6:2a00:1450:4864:20::52e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7CA3A120944 for <tsvwg@ietf.org>; Fri, 28 Jun 2019 14:30:58 -0700 (PDT)
Received: by mail-ed1-x52e.google.com with SMTP id w20so12587014edd.2 for <tsvwg@ietf.org>; Fri, 28 Jun 2019 14:30:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Xc/H2DQ9LD+U0IqObP2aRp1Y1WLnSB/+fQ0lDqxD/TY=; b=hVkcMZbhx3IMxKmoTkXLWQy8eNEi/Bkd6uXLtyQzMTOjBoiGHYXRKsdko7xIyYmY7p G9NpAjpYuhBkvclEilaRZXa9ehmo7l96EfsEuS+l7YRquLi5WfBKMJ9iUPPUxhOtdqVv dznGQ2Ys5IRQ90G8n/GZJNtRw56F/cNoBC3DUKQMMZ7VX6y0hpzhPLIlBqJF6a1pQ+9w a07FKBEp/WVHWwyDKVM/Gxr3TWR/2jE1gqTmwYJFKWE3A037fbNQjQn0O214BKbTfyIV oYYLuA+IPHR2cyflC6bpHVtWDMOlBK9veE7wAKeU1YxVjM+jYZs4Cwdip0pFbj1Qsblh CZPg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Xc/H2DQ9LD+U0IqObP2aRp1Y1WLnSB/+fQ0lDqxD/TY=; b=No3rqO8pETAHplbRzy4b8BKw/J9jGhsEMV/W6uhknea5woehQ+I/f+DKfN3dtqlHBK X5l2utogesKKUWE0xvT7kgpbaBHeUYH18MGkvYbDq8hlYPI8fNzs0WXmgRW/sRzcLha2 mwQUjvAPTrwjm6zUl7LptF0PGgo7AMSTDPbvb5tRAJ941GtslXoqZg47TvIn7STLI5e6 84fvK3FZcpNAQCgJnMUtA7UzagaJDUlkdKgej8HK9e3bWmdxkDuz9EfIxIIGNAku55Jr JjGhT1+wgCPSRRtO0SoiDwPiSR86pgXQ5i3hiRlSdvP68EF+jWJhj46n1qlxtF0IQZ8b FbRg==
X-Gm-Message-State: APjAAAV/btj3X9dvP7GUlmfhaNb06g1V/kjDHGSutiIb0kmEK+kcezyp jGBz/BcUVI931QM5IAnJtqdKW7SGIE2AJ7KlpH/hpYsNNWY=
X-Google-Smtp-Source: APXvYqzStwwOTFjD1MLQ5tEpJJeRRY1nGRcambzWLut8v0iPjCoJm0OfTy4L+WagWITBCIb+u07Wv+LdLouvn/9FHHE=
X-Received: by 2002:a17:906:d183:: with SMTP id c3mr10978780ejz.149.1561757456863; Fri, 28 Jun 2019 14:30:56 -0700 (PDT)
MIME-Version: 1.0
References: <CACL_3VHGtMz3htgfFLRGhjXm=qC7kOXQs+cchtamhh-giBnpLA@mail.gmail.com>
In-Reply-To: <CACL_3VHGtMz3htgfFLRGhjXm=qC7kOXQs+cchtamhh-giBnpLA@mail.gmail.com>
From: Tom Herbert <tom@herbertland.com>
Date: Fri, 28 Jun 2019 14:30:45 -0700
Message-ID: <CALx6S35T9ApzMaoSVgHSJPpcpfXsbHHogoBbEjMPj6vH-kxYeA@mail.gmail.com>
To: "C. M. Heard" <heard@pobox.com>
Cc: TSVWG <tsvwg@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000071292d058c68fe30"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/VA3VuWDmEwMi0_NBa9mDtZFHpIw>
Subject: Re: [tsvwg] UDP Options: on forcing the use of UDP CS=0 in connection with FRAG+LITE
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Jun 2019 21:31:06 -0000

On Fri, Jun 28, 2019 at 9:23 AM C. M. Heard <heard@pobox.com> wrote:

> Greetings,
>
> Apologies for the late follow-up on this matter..
>
> I notice the following on the "Pending Changes" slide for the UDP Options
> draft (draft-ietf-tsvwg-udp-options-07) from IETF 104:
>
> • Update LITE+FRAG discussion
>  – Force CS=0 even if user doesn’t ask
>  – User choice of CS=0/not should follow in use of reassembly CS
>
> I strenuously object to the first part of this proposed change.
>
> The proposal is intended to address the problem of LITE not being covered
> by OCS. This lack of coverage is by design: it would defeat the purpose of
> LITE if it were covered by OCS. Unfortunately, the LITE data not being
> covered by OCS means that the checksum compensation needed to achieve a
> high probability of middlebox traversal is not present. The proposal to
> force CS=0 for LITE+FRAG was made ins an attempt to work around the
> middlebox traversal issue.
>
> For IPv6, at least, it seems that UDP CS=0 does not have very good
> middlebox
> traversal properties. Raffaele Zullo has shared with me the results of some
> (admittedly small-scale) measurements he did to look specifically at this,
> and the results were not especially encouraging: depending on the test
> case,
> between 26% and 36% of the paths blocked UDP CS=0 over IPv6 from reaching
> the final router before the  destination (see results for test cases B1
> below). By contrast, a UDP packet with a properly compensated checksum was
> seen in previous measurements to have around a 94% chance of getting to the
> destination under comparable circumstances (see results for IPv6 HTTP in
>
> https://datatracker.ietf.org/meeting/103/materials/slides-103-maprg-a-tale-of-two-checksums-tom-jones-00
> <https://datatracker..ietf.org/meeting/103/materials/slides-103-maprg-a-tale-of-two-checksums-tom-jones-00>
> ).
>
> Also, this is would be violation of RFC8200: "IPv6 receivers must discard
UDP packets containing a zero checksum and should log the error". So it's
not just middleboxes, end hosts will also have problems with UDPv6 zero
checksums.

Tom

There are other issues with forcing UCP CS=0, specifically that doing
> so would leave the UDP header fields (and in particular the UDP length)
> unprotected. The poor middlebox traversal properties, when combined with
> these other disadvantages, IMO make the case against forcing CS=0
> decisive..
>
> Also, this is a direct violation of RFC8200:



> In order to remedy this problem, it is necessary (a) to divorce FRAG from
> LITE and (b) to protect the FRAG data by OCS, at least when the user has
> enabled the UDP checksum for unfragmented datagrams. Fortunately, there is
> a way to do this that is no more complex than the proposal in the existing
> method specified in defined in draft-ietf-tsvwg-udp-options-07. I will
> provide a detailed proposal in a follow-on e-mail.
>
> Thanks and regards,
>
> Mike Heard
>
> On Sat, Apr 20, 2019 at 2:49 AM Raffaele Zullo wrote:
> >
> > Hello Mike,
> > Hello Gorry,
> >
> > You made quite curious about the traversal of IPv6 UDP CS=0, so I run
> > the traceroute measurements from my own host only for this case.
> > These are the results:
> > A)  paths working end-to-end (as explained in a previous email)
> > B)  paths in which last discovered router is the same for UDP with
> > correct CS and UDP with CS=0
> > B1) paths in which last discovered router is the same for UDP with
> > correct CS and UDP with CS=0 and it's 1 TTL from the destination server
> >
> > DNS
> > A)   2%
> > B)  87%
> > B1) 74%
> >
> > HTTP
> > A)  16%
> > B)  77%
> > B1) 64%
> >
> > Obviously this is not enough to say that these paths are compatible with
> > v6 CS=0 but it still suggests that its traversal chances are higher than
> > the bare end-to-end percentage.
> >
> > Happy Easter,
> > Raffaele Zullo
> >
> >
> >
> > On 2019-04-07 16:11, C. M. Heard wrote:
> > > Hello Raffaele,
> > >
> > > Thank you for taking the time to dig out this information.
> > >
> > > I see that the response rates for UDP CS=0 over IPv6 are quite low,
> > > with
> > > or without UDP options.  However, as you point out, the measurements
> > > cannot distinguish cases where middleboxes in the path discard CS=0
> > > packets from cases where the server itself does so.  In order to draw
> > > firm conclusions about the the proportion of paths that drop IPv6 UDP
> > > CS=0,
> > > it seems that one would need some independent means to estimate
> > > the proportion of servers that discard IPv6 UDP CS=0..
> > >
> > > Do you think it would be useful to share this data with the TSVWG list?
> > >
> > > Good luck on the job hunt.
> > >
> > > Mike Heard
> > >
> > > On Sun, Apr 7, 2019 at 6:25 AM Raffaele Zullo wrote:
> > > >
> > > > Hello Gorry,
> > > > Hello Mike,
> > > >
> > > > Sorry for the late reply.
> > > > I've got lost in a few other things (basically job hunting is a job).
> > > >
> > > > Anyway I finally got my VPN access to the lab network restored so I
> > > > could retrieve measurements data.
> > > >
> > > >
> > > > We tested a limited number of (paths to) IPv6 servers, obtained from
> > > > Alexa top-1m:
> > > > 17110 authoritative DNS servers
> > > > and
> > > > 12184 HTTP servers.
> > > >
> > > > DNS servers were tested with well-crafted DNS queries.
> > > > The first packet was a regular UDP packet with correct CS.
> > > > If the server replied to the query then it was tested with CS=0,
> > > > Options, etc.
> > > >
> > > > Paths to HTTP servers were instead tested with padded packets sent to
> > > > UDP port 80.
> > > > The first packet was again a regular UDP packet with correct CS.
> > > > If the server replied with ICMP Port Unreachable, then it was tested
> > > > with CS=0, Options, etc.
> > > >
> > > > Out of 17110 DNS servers
> > > > 1.75% replied to UDP CS=0
> > > > 1.43% replied to UDP+Opt CS=0
> > > >
> > > > Out of 12184 HTTP servers
> > > > 17.21% replied to UDP CS=0
> > > > 16.67% replied to UDP+Opt CS=0
> > > >
> > > >
> > > > These are the raw data.
> > > >
> > > >
> > > > I would add that the portion of paths OK with IPv6 UDP CS=0 can be
> > > > underestimated.
> > > > Since we are measuring paths to servers, the server itself can affect
> > > > the measurement,
> > > > for instance if the path is clean but the server's stack discards
> IPv6
> > > > with UDP CS=0, the outcome of the measurement will be negative.
> > > >
> > > >
> > > > Cheers,
> > > > Raffaele
> > > >
> > >
> >
>

v2.23.0 | Report a Bug | By Email