IETF Logo Mail Archive

Re: [v6ops] new draft: draft-taylor-v6ops-fragdrop

Mark Andrews <marka@isc.org> Fri, 26 October 2012 00:18 UTC

Return-Path: <marka@isc.org>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6EDE221F88B7 for <v6ops@ietfa.amsl.com>; Thu, 25 Oct 2012 17:18:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.832
X-Spam-Level:
X-Spam-Status: No, score=-1.832 tagged_above=-999 required=5 tests=[AWL=-0.269, BAYES_00=-2.599, SARE_URI_CONS8=1.036]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZJasqXmmRmM2 for <v6ops@ietfa.amsl.com>; Thu, 25 Oct 2012 17:18:34 -0700 (PDT)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) by ietfa.amsl.com (Postfix) with ESMTP id 2886F21F8830 for <v6ops@ietf.org>; Thu, 25 Oct 2012 17:18:34 -0700 (PDT)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mail.isc.org", Issuer "RapidSSL CA" (not verified)) by mx.ams1.isc.org (Postfix) with ESMTPS id 88AFE5F99A0; Fri, 26 Oct 2012 00:18:23 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (c211-30-172-21.carlnfd1.nsw.optusnet.com.au [211.30.172.21]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by bikeshed.isc.org (Postfix) with ESMTPSA id 7AE5E216C7B; Fri, 26 Oct 2012 00:18:21 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (Postfix) with ESMTP id 58B2B2A4409B; Fri, 26 Oct 2012 11:18:18 +1100 (EST)
To: Andrew Yourtchenko <ayourtch@cisco.com>
From: Mark Andrews <marka@isc.org>
References: <201210161245.q9GCj0i26478@ftpeng-update.cisco.com> <E1829B60731D1740BB7A0626B4FAF0A65E0DEDF3A2@XCH-NW-01V.nw.nos.boeing.com> <507DA6A3.20807@inex.ie> <E1829B60731D1740BB7A0626B4FAF0A65E0DEDF3C3@XCH-NW-01V.nw.nos.boeing.com> <507DAB13.2010704@inex.ie> <E1829B60731D1740BB7A0626B4FAF0A65E0DEDF3CE@XCH-NW-01V.nw.nos.boeing.com> <507DDF8A.9010607@inex.ie> <E1829B60731D1740BB7A0626B4FAF0A65E0DEDF5AB@XCH-NW-01V.nw.nos.boeing.com> <BB219517-B488-4777-AE9C-35C57BE91263@kumari.net> <Pine.LNX.4.64.1210171337470.7337@shell4.bayarea.net> <AC530E99-4054-4B0A-9B5C-30F9EF4A530C@kumari.net> <20121018223121.28B2C2A0041D@drugs.dv.isc.org> <50812F87.5000107@inex.ie> <E1829B60731D1740BB7A0626B4FAF0A65E0DF5C66F@XCH-NW-01V.nw.nos.boeing.com> <5085319B.60707@inex.ie> <CAKD1Yr2qDsM6cCPapRmKuWw7SG-cuMd9PuiBD7ineqj7Bp4+Xw@mail.gmail.com> <8C4093E0-4031-4057-9B96-3738A5A48D2D@merike.com> <1351154487.78754.YahooMailNeo@web32504.mail.mud.yahoo.com> <20121025202222.185852A40C3F@drugs.dv.isc.org > <alpi ne.DEB.2.02.1210260013030.15761@ayourtch-lnx>
In-reply-to: Your message of "Fri, 26 Oct 2012 00:32:36 +0200." <alpine.DEB.2.02.1210260013030.15761@ayourtch-lnx>
Date: Fri, 26 Oct 2012 11:18:18 +1100
Message-Id: <20121026001818.58B2B2A4409B@drugs.dv.isc.org>
Cc: V6 Ops <v6ops@ietf.org>
Subject: Re: [v6ops] new draft: draft-taylor-v6ops-fragdrop
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Oct 2012 00:18:35 -0000

In message <alpine.DEB.2.02.1210260013030.15761@ayourtch-lnx>, Andrew Yourtchen
ko writes:
> 
> 
> On Fri, 26 Oct 2012, Mark Andrews wrote:
> 
> >> Internet involves developing for the worst case, not the best. If a small
> >> but significant enough portion of sites on the Internet drop fragments, th
> en
> >> applications will be developed to avoid using fragments. Once applications
> >> avoid using fragments to suit some sites on the Internet, then all sites
> >> on the Internet may as well drop them, because they've been rendered usele
> s=
> >> s.
> >
> > Or they learn to adapt and use fragments where they work.  DNS clients
> > do this today.  They get stuck behind equipment that:
> >
> > 	* drops packets > 512 bytes
> > 	* drops fragments
> > 	* drops EDNS packets
> > 	* drops packets with DO set
> > 	* drops packets where the initial fagment doesn't arrive first
> >
> > The clients adapt the queries they make to get responses back.
> >
> > They work much more efficiently however if they can get fragmented EDNS
> > responses back.
> 
> What about DNSSEC ? Seems like there's a problem if the fragmentation 
> does not work correctly: https://tnc2012.terena.org/getfile/1603

Which looks at a single query / response rather than a complete
system.  There are nameservers that do not respond to EDNS packets.
There are firewall that do not pass DNS/UDP packets bigger than 512
bytes.  These two issues overwhelm any issues due to fragmentation.

Nameserver vendors need to deal with these issues as they exist in
the real world ever if there isn't a RFC which says how to deal
with them.

Named sends EDNS@4096, EDNS@512 and plain DNS queries when resolving
queries.  It does this with sub second retry timeouts.  Most referrals
do not require fragmentation.  If there is not enough space in the
UDP response the server falls over to TCP.   Named drops the optional
parts of DNSKEY/DS responses reducing the likelyhood of fragmentation.
Named drops optional parts of responses when it sees a EDNS@512
query reducing the likelyhood of TCP fallback.

    isc.org referral w/ dnssec is 681 bytes from the root servers
    isc.org referral w/ dnssec is 514 bytes from the org servers
    the isc.org dnskey response is 463 bytes from the isc.org servers
    the org dnskey response is 1334 or 1723 bytes depending apon
	which nameserver impementatin you hit
    the root dnskey response is 736 bytes
    a nxdomain response for sdlkfhadslhasjdhgfjgask is 652 bytes (NSEC)
    a nxdomain response for sdlkfhadslhasjdhgfjgask.org is 1021 bytes (NSEC3)

Both the server and clients sides can limiting the sizes of UDP
responses being sent.  If you are validating and are stuck behind
a firewall that you can't change that blocks fragmented responses
you can tell the nameserver to announce a smaller EDNS UDP buffer
size that is unlikely to cause fragmentation.  Unless you are
validating plain DNS responses from signed zones do not cause any
issues.

In practice you get an occasional slow down due to fragmentation
when validating if you havn't fixed your local firewall or tuned
your nameserver to account for the firewall.

There is code (unreleased) that will do EDNS@4096, EDNS@1432 ([46]
in [46]), EDNS@1232 (IPv6 network MTU), EDNS@512 (stupid firewalls)
and plain DNS (even stupider firewalls / broken servers).  A little
bit of extra state per server talked to is used to remember this
across multiple queries.   Named already tracks response times.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email