Re: [v6ops] [ipv6-wg] Extension Headers / Impact on Security Devices

Jen Linkova <furry13@gmail.com> Wed, 17 June 2015 13:22 UTC

Return-Path: <furry13@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A0671AC3BA for <v6ops@ietfa.amsl.com>; Wed, 17 Jun 2015 06:22:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.75
X-Spam-Level:
X-Spam-Status: No, score=-1.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k2I5HBVrZpbs for <v6ops@ietfa.amsl.com>; Wed, 17 Jun 2015 06:22:49 -0700 (PDT)
Received: from mail-yh0-x231.google.com (mail-yh0-x231.google.com [IPv6:2607:f8b0:4002:c01::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 41D771A914E for <v6ops@ietf.org>; Wed, 17 Jun 2015 06:22:49 -0700 (PDT)
Received: by yhak3 with SMTP id k3so33358507yha.2 for <v6ops@ietf.org>; Wed, 17 Jun 2015 06:22:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=cn6KaNtyQpFdG0cJfNOSD0UAdiaSCoFEz8GdHqRl0lw=; b=NwdcaiO14AeUAs26JsJOKiwo4p+T5Ga0pWSWZcQ9imZ04NgxoKgoG9jDo4dJRaMIca YxhDgbiAlsNZDJcN/ZsxWX9hiMdAsooq+KjYSuzOxFvitJ4LjPRoOUdj9HopVR692QdL bv2Kt/pV5SKV9/sOc/bIs3/4O/wfJncX7CvsjZX8oothjWV5dRxQ3b2Ro8p+3Fu8280S w1yNserQAsW60z6WiSnu5A2YwFTK1Hzpps8oM+dUnIUotgQRe64tlvDvOPNGKKKRR33T pxqbPygG0/eDS8OsWx+VP/lxZHcSj6odeXTS2xytlN5S8YG0iIm/4R7mxUwYEqoLXDyj tjhw==
X-Received: by 10.52.113.97 with SMTP id ix1mr4686592vdb.1.1434547368581; Wed, 17 Jun 2015 06:22:48 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.31.82.130 with HTTP; Wed, 17 Jun 2015 06:22:27 -0700 (PDT)
In-Reply-To: <20150617.140235.74748217.sthaug@nethelp.no>
References: <20150517191841.GA26929@ernw.de> <C07DF957-9A2D-4962-ABAA-DE61F5C5D533@cisco.com> <CAFU7BAR0YeGe7NbYTqNSAcMukGjAz6akWaVcODWVJwpTJKQhWQ@mail.gmail.com> <20150617.140235.74748217.sthaug@nethelp.no>
From: Jen Linkova <furry13@gmail.com>
Date: Wed, 17 Jun 2015 15:22:27 +0200
Message-ID: <CAFU7BARNa--MEuOzH5ZsBJ+hY8hCxUH4tVDcSEP95BdkmooLgw@mail.gmail.com>
To: sthaug@nethelp.no
Content-Type: text/plain; charset=UTF-8
Archived-At: <http://mailarchive.ietf.org/arch/msg/v6ops/5gGUs9hUddWfx3FxDjnRYKI4DYw>
Cc: "v6ops@ietf.org" <v6ops@ietf.org>, "ipv6-wg@ripe.net IPv6" <ipv6-wg@ripe.net>
Subject: Re: [v6ops] [ipv6-wg] Extension Headers / Impact on Security Devices
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jun 2015 13:22:50 -0000

On Wed, Jun 17, 2015 at 2:02 PM,  <sthaug@nethelp.no> wrote:
>> IMHO it's reasonable to assume that one might
>> need different hardware for "just routing" and enhanced QoS/ACL
>> services (it's a case nowadays anyway).
>
> You may feel it is reasonable. Not everybody agrees. If we compare
> with IPv4: All modern routers I know of (including high speed boxes
> with multiple 10G and 100G ports) are able to handle stateless ACLs
> based on IPv4 addresses and port numbers. The boxes with multiple
> 10G and 100G ports process these ACLs at line rate. I don't pay extra
> for this functionality - possibly because a box *without* such
> functionality would have a limited market.

[skip]

> I agree that the IPv4 packet may have options, making it variable
> length. However the length is still limited by the IHL field, which
> has a max value of 15 (60 bytes).

I'm glad you mentioned 60 bytes ;) Because there are a lot of
reasonably modern hardware around
which copies 64 bytes on-chip. Which means if you happen such hardware
in your network
and your stateless ACL have 'match tcp flags' rules, you might get
quite unexpected results processing packets with
60 bytes IPv4 header....So, while it might be perfectly fine to have
such cars in the core, I'd expect people not to install then at the
border routers
which are supposed to perform enhanced ACL services. It was my point.

So we all agree that 'variable length is OK as long as our hardware
can look deep enough'? And what people are complaining about is exact
number? Which we do not know yet for IPv6 EHs?

-- 
SY, Jen Linkova aka Furry