IETF Logo Mail Archive

Re: [v6ops] new draft: draft-taylor-v6ops-fragdrop

joel jaeggli <joelja@bogus.com> Sat, 03 November 2012 01:27 UTC

Return-Path: <joelja@bogus.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E18D911E8101 for <v6ops@ietfa.amsl.com>; Fri, 2 Nov 2012 18:27:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.655
X-Spam-Level:
X-Spam-Status: No, score=-101.655 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, DATE_IN_PAST_03_06=0.044, J_CHICKENPOX_13=0.6, MIME_8BIT_HEADER=0.3, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id THxtP9Q2rKCb for <v6ops@ietfa.amsl.com>; Fri, 2 Nov 2012 18:27:16 -0700 (PDT)
Received: from nagasaki.bogus.com (nagasaki.bogus.com [IPv6:2001:418:1::81]) by ietfa.amsl.com (Postfix) with ESMTP id 62E4211E80A3 for <v6ops@ietf.org>; Fri, 2 Nov 2012 18:27:16 -0700 (PDT)
Received: from dhcp-413c.meeting.ietf.org ([130.129.65.60]) (authenticated bits=0) by nagasaki.bogus.com (8.14.4/8.14.4) with ESMTP id qA31R1kQ084347 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NOT); Sat, 3 Nov 2012 01:27:08 GMT (envelope-from joelja@bogus.com)
Message-ID: <5094269F.3000705@bogus.com>
Date: Fri, 02 Nov 2012 13:01:35 -0700
From: joel jaeggli <joelja@bogus.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/17.0 Thunderbird/17.0
MIME-Version: 1.0
To: Ole Trøan <otroan@employees.org>
References: <CAKD1Yr13cNspdWvTaXxHt4R_8UB-CKeA4nq8_XWrkbFGCgW7Gg@mail.gmail.com> <5090DECF.3050100@gmail.com> <CAKD1Yr1dUy-f78A2+kfA7NjpzD0WQRT8iwqGYAm5A=Erodpn-A@mail.gmail.com> <20121031.122110.41655699.sthaug@nethelp.no> <50910E41.2030100@gmail.com> <CAKD1Yr0mTTcVeq+Qf0fLv3UCBP_90QmStkK3Ha4tDdm3FxJjVA@mail.gmail.com> <50915F86.7050304@gmail.com> <509165B8.404@si6networks.com> <509169C2.9040208@isi.edu> <50916F21.6030303@si6networks.com> <509174F1.8080809@isi.edu> <50924264.7040300@gmail.com> <76E349F3-6022-4042-9B44-57507593B8DE@employees.org>
In-Reply-To: <76E349F3-6022-4042-9B44-57507593B8DE@employees.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (nagasaki.bogus.com [147.28.0.81]); Sat, 03 Nov 2012 01:27:10 +0000 (UTC)
Cc: Fernando Gont <fgont@si6networks.com>, v6ops@ietf.org
Subject: Re: [v6ops] new draft: draft-taylor-v6ops-fragdrop
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 03 Nov 2012 01:27:17 -0000

On 11/1/12 4:16 AM, Ole Trøan wrote:
>>>>> Yes, but the whole point of the IPv6 option architecture was to avoid
>>>>> the issues seen with IPv4 options.
>>>> The only thing in that IPv6 would avoid is requiring routers to parse
>>>> *all* options, just to find the ones that need to be processed by
>>>> routers.
>>> Yes.
>> No. The only extension header that *needs* to be parsed by intermediate
>> routers is the hop-by-hop options header, and that is the first one (if
>> present).
>>
>> (You can legitimately argue that the hbh header and the routing header
>> are effectively useless, but that doesn't break fundamental connectivity.)
>>
>> IPv6 routers should have nothing to do with fragmentation.
That horse left the barn when we use L4 headers as part of a 
load-balancing hash key.

While the potential for reordering due to differing path selection is 
superficially irrelevant in the core (I do have four 4 ECMPed 
cross-country paths in the US with about 12ms difference in rtt between 
the shortest and longest), when fronting a stateful device like load 
balancer(s) or firewall(s)  it is not.

Now, if the flow label were reliably immutable and non-zero it might be 
a suitable replacement for the L4 header in the hash calculation.

>>
>> The problem is due to middleboxes that break the IPv6 spec by inspecting
>> any part of the packet beyond the hop-by-hop header and discarding what
>> they don't understand.
>
> quite.
> what stops these boxes from filtering IPsec, TLS, or anything that isn't HTTP with a
> whitewashed URL?
So, I'm providing service to an application we are generally inclined to 
limit the service area exposed on  the application, which I think of a 
pretty good fit for L4-leveraging stateless ACLS.
>
> I don't see how we can build protocols to accommodate middle boxes, and
> we have already done RFC3514.
Nor do i think it's likely that we'll come to a great deal of consensus 
on "you absolutely cannot use L4 headers in forwarding filtering 
calculations." it's pretty clear from modern router platforms that 
customers demand those.

What I think we can do is document the observance of the phenomenon, 
acknowledge what gets broken as a result, and perhaps provide advice 
that limits the scope of the damage.
> cheers,
> Ole
>
>
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops
>

v2.23.0 | Report a Bug | By Email