IETF Logo Mail Archive

Re: [v6ops] new draft: draft-taylor-v6ops-fragdrop

Lorenzo Colitti <lorenzo@google.com> Wed, 31 October 2012 00:46 UTC

Return-Path: <lorenzo@google.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 51EF721F867C for <v6ops@ietfa.amsl.com>; Tue, 30 Oct 2012 17:46:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.976
X-Spam-Level:
X-Spam-Status: No, score=-102.976 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zfE74RBPAh7z for <v6ops@ietfa.amsl.com>; Tue, 30 Oct 2012 17:46:15 -0700 (PDT)
Received: from mail-ob0-f172.google.com (mail-ob0-f172.google.com [209.85.214.172]) by ietfa.amsl.com (Postfix) with ESMTP id 521C421F8654 for <v6ops@ietf.org>; Tue, 30 Oct 2012 17:46:15 -0700 (PDT)
Received: by mail-ob0-f172.google.com with SMTP id v19so965956obq.31 for <v6ops@ietf.org>; Tue, 30 Oct 2012 17:46:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:x-system-of-record; bh=cPmxWivAhqBA9oEB0yejaAqyeNzoU76SHASl7xx4bA0=; b=Yf7eiPl+n7v7xR0R0qfYWLXA+4dAXpMzwvSL4sz31Ir45hyMyKMEm1uay+dTS2f9pq Bdc9gzfEEO3V4OjuD4KzMg10TdNCJAJ48W8ii1hRnCEcGu3EHxHoRWPcbA/kwXD9ZP/7 yxLnE6dm+POH+ZNnzjQCa0nrihVx0xZa3JXnJgCwH8nKLzfxmwyJyk43j8XCq+qVvBgU VaENQKUIbPlfCBPbGJ/MIJXM7l/kWWs9zyJ2Giol4qWw4aremhv9k5YkCGUMw5krwSIK d/BgEc20GX4+fPyc9GmUKcF+rjBsvI+eAVyNdhgcyzlDQXUiDa8KwKVwis148sGzwDf3 zmXA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:x-system-of-record:x-gm-message-state; bh=cPmxWivAhqBA9oEB0yejaAqyeNzoU76SHASl7xx4bA0=; b=PubE4XPyWZba05QCsT8wXcQhcKauvI4O7i61e+DIHDP1VRAc+d6dE8IDgTuRcvXWdn eu+IZPCSAj0v5GM5b9QSi4mreaJyTFG98PuKbsfz/k0mvrF8b8jAs/ltlY561WSIxPg9 /zx+CGhtLRhfWqC9QXzXf2NaV8Yiye9uECpQIwsjk3HhlaKveUtbQqypnGPSs4RwK9Tz 62nmvMYjbFxkAGy5Q8xxgddOt9+Kzso7K/8XXpTF9KzujS/sY3/KM1i977e31GG5Mg0m 5KBIu127wrff4aAlY4AhBOf908mHCcPdWhpwJqLjbGPahaKFZHtwQU4EPvZ+CPnUH0Ka ZW7g==
Received: by 10.182.10.6 with SMTP id e6mr28981464obb.16.1351644374735; Tue, 30 Oct 2012 17:46:14 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.182.176.106 with HTTP; Tue, 30 Oct 2012 17:45:53 -0700 (PDT)
In-Reply-To: <1351628087.79801.YahooMailNeo@web32508.mail.mud.yahoo.com>
References: <201210161245.q9GCj0i26478@ftpeng-update.cisco.com> <507DA6A3.20807@inex.ie> <E1829B60731D1740BB7A0626B4FAF0A65E0DEDF3C3@XCH-NW-01V.nw.nos.boeing.com> <507DAB13.2010704@inex.ie> <E1829B60731D1740BB7A0626B4FAF0A65E0DEDF3CE@XCH-NW-01V.nw.nos.boeing.com> <507DDF8A.9010607@inex.ie> <E1829B60731D1740BB7A0626B4FAF0A65E0DEDF5AB@XCH-NW-01V.nw.nos.boeing.com> <BB219517-B488-4777-AE9C-35C57BE91263@kumari.net> <Pine.LNX.4.64.1210171337470.7337@shell4.bayarea.net> <AC530E99-4054-4B0A-9B5C-30F9EF4A530C@kumari.net> <20121018223121.28B2C2A0041D@drugs.dv.isc.org> <50812F87.5000107@inex.ie> <E1829B60731D1740BB7A0626B4FAF0A65E0DF5C66F@XCH-NW-01V.nw.nos.boeing.com> <5085319B.60707@inex.ie> <CAKD1Yr2qDsM6cCPapRmKuWw7SG-cuMd9PuiBD7ineqj7Bp4+Xw@mail.gmail.com> <8C4093E0-4031-4057-9B96-3738A5A48D2D@merike.com> <1351154487.78754.YahooMailNeo@web32504.mail.mud.yahoo.com> <CAKD1Yr1xDC7BefRyaHHKfw9THRkyQWwHS5P05_uWTOV539uS2w@mail.gmail.com> <508A876F.6070503@si6networks.com> <1351454911.47361.YahooMailNeo@web32501.mail.mud.yahoo.com> <CAKD1Yr1CmXV_m4X7Rgdvuj6bXaiaai1rsaosJt5-_m2ChJjgSw@mail.gmail.com> <1351628087.79801.YahooMailNeo@web32508.mail.mud.yahoo.com>
From: Lorenzo Colitti <lorenzo@google.com>
Date: Wed, 31 Oct 2012 09:45:53 +0900
Message-ID: <CAKD1Yr13cNspdWvTaXxHt4R_8UB-CKeA4nq8_XWrkbFGCgW7Gg@mail.gmail.com>
To: Mark Smith <markzzzsmith@yahoo.com.au>
Content-Type: multipart/alternative; boundary="f46d04446911d19d0104cd503a8d"
X-System-Of-Record: true
X-Gm-Message-State: ALoCoQmWIR1KYYJ/FoXMnGIl/Yo7vO/PSaAzhhoMWSZ0IAd0XdDHLRk1oX+nHu/l/5+OFmoepr3Po/eAAAKZ1QzkJFWMdQSjVnzPEE6gKt0b5a/xWzu/mcM7xOdSpea4Zxt34ZmwGKriZ39/H1jidoTAkDsnMR+whKi2g0DYP7evgFKf2yNphn6ZTAXPbK3cTF7215whCcOo
Cc: Fernando Gont <fgont@si6networks.com>, V6 Ops <v6ops@ietf.org>
Subject: Re: [v6ops] new draft: draft-taylor-v6ops-fragdrop
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Oct 2012 00:46:16 -0000

On Wed, Oct 31, 2012 at 5:14 AM, Mark Smith <markzzzsmith@yahoo.com.au>wrote:

> Is it that packets with the fragmentation extension header as the first
> extension header are dropped, and all first extension header types are let
> through (meaning a fragmentation extension header would pass as long as it
> isn't the first), or is it that only TCP and UDP first extension headers
> are let through (and perhaps IPsec ESP) and all others are dropped? My
> pure guess would be the latter is more likely, meaning that this also
> breaks DCCP and SCTP.

 I've been hoping that one of the benefits of IPv6 will be the ability to
> use more modern transport layer protocols like DCCP and SCTP without having
> to encapsulate them inside UDP.
>

I think DCCP and SCTP are easier than fragments.

I think there are two main issues here (in user/enterprise/edge networks;
not in backbone networks):

1. Allow through only what you use.
2. Allow through only what your hardware is capable of inspecting/filtering
at line rate.

#1 equally affects fragment headers and DCCP/SCTP/other protocols. However,
#2 specially affects fragment headers and other extension headers in
general.

As an example: a lot of hardware currently deployed, including, I believe,
the totality of one major backbone router vendor's product line, is unable
to inspect extension headers beyond the first - at all. On such hardware,
saying "allow SCTP from any port to port 53" is no different than saying
"allow UDP from this any port to port 53". The hardware has to do the same
number of lookups, and even the offsets are the same. It's a simple code
fix, if even that. However, saying "allow all UDP packets from any port to
port 53, including fragments" requires that the hardware be able to perform
a more complex lookup on the same packet - look for a fragment header, and
if it's there, skip over it to find the upper-layer protocol header. Things
get more expensive if you consider that it's not just fragment headers -
it's routing headers, and shim6 headers, and any $header that anyone can
dream up and get through the IETF.

Doing this at line rate is hard. AIUI many current forwarding architectures
work by hashing the first X (e.g., 128) bytes of the packet and turning it
into a lookup key that can be processed at high speed (e.g., in TCAM). On
such architectures, there is basically no way to process arbitrary
extension header chains at line rate without substantially increasing the
amount of work that the hardware has to do - and as we know, routers aren't
exactly cheap today.

If you allow the upper-layer header not to be in the first packet at all
(i.e., have the first fragment consist entirely of extension headers). In
this case, there is simply no way to filter correctly unless you do
full-blown stateful filtering AND ensure that all the packets are processed
by the same device.


> >2. If you're an application developer and your apps need to run on the
> Internet, then fragments will likely not work in many cases. If you want
> your application to work in these cases, you should either use
> application-layer fragmentation, use path MTU discovery, or limit yourself
> to small packets instead of sending fragments.
>
>
> ICMP based PMTUD is probably not reliable enough either :-(
>

But it needs to be, or as others say, 1280 is the new 1500 and we'll never
get ourselves out of this hole. Fortunately I think it's easier than
processing arbitrary extension header chains.


> >3. If you control the network (e.g., if you're the network operator), and
> want to use fragments for tunnels or other purposes, go ahead, but note
> that in other people's networks, they might be filtered.
> >
>
> That's ok for e.g. OSPF, however the use case I was thinking of for IPsec
> was across the Internet. It's about 10 years since I did a lot of work with
> IPsec tunnels so I'm wondering how they cope with varying MTUs, broken ICMP
> PMTUD etc. these days. I'm aware that IPsec has become commonly
> encapsulated inside UDP to avoid NATs, but RFC3948 doesn't seem to cover
> fragmentation issues below UDP.
>

As you say, I think we've given up on running IPsec across the Internet. We
use IPsec over UDP instead.

v2.23.0 | Report a Bug | By Email