IETF Logo Mail Archive

[v6ops] Hurting routers ? Re: FW: New Version Notification for draft-vyncke-v6ops-james-01.txt

Toerless Eckert <tte@cs.fau.de> Mon, 21 March 2022 10:58 UTC

Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 485EE3A0DCD for <v6ops@ietfa.amsl.com>; Mon, 21 Mar 2022 03:58:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.66
X-Spam-Level:
X-Spam-Status: No, score=-1.66 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.248, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 806dnYT90lBb for <v6ops@ietfa.amsl.com>; Mon, 21 Mar 2022 03:58:15 -0700 (PDT)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [131.188.34.40]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A588A3A0DAE for <v6ops@ietf.org>; Mon, 21 Mar 2022 03:58:15 -0700 (PDT)
Received: from faui48e.informatik.uni-erlangen.de (faui48e.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:51]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTPS id 13C0E58C4AF; Mon, 21 Mar 2022 11:58:10 +0100 (CET)
Received: by faui48e.informatik.uni-erlangen.de (Postfix, from userid 10463) id 798B54EA9A2; Mon, 21 Mar 2022 11:58:09 +0100 (CET)
Date: Mon, 21 Mar 2022 11:58:09 +0100
From: Toerless Eckert <tte@cs.fau.de>
To: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
Cc: Mark Smith <markzzzsmith@gmail.com>, v6ops list <v6ops@ietf.org>
Message-ID: <YjhaQVwszaX49QZU@faui48e.informatik.uni-erlangen.de>
References: <164775933228.16649.14547918925323593500@ietfa.amsl.com> <85F40C59-0FE2-4B44-871E-F9999959C06E@cisco.com> <CAO42Z2xZwzasdo-03gXn7OuE3K306dN=e4P1njE+ka7B5-j0-A@mail.gmail.com> <3646BDA2-4671-4E5C-8EC2-EDE84C29351D@cisco.com> <CAO42Z2yZSqF8sC6ZPcMqQ=+NyeoL977f1tiRAe7DBNdQ5GDyHg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CAO42Z2yZSqF8sC6ZPcMqQ=+NyeoL977f1tiRAe7DBNdQ5GDyHg@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/BwLWPIC4egaUWumzv4btlTIgEn8>
Subject: [v6ops] Hurting routers ? Re: FW: New Version Notification for draft-vyncke-v6ops-james-01.txt
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Mar 2022 10:58:20 -0000

Eric/*:

Very nice work.  Thanks!

2 points:

1) I wonder what we're supposed to be able to learn from the results beside:

a) If you want to use an option, chances for it to proliferate over time are kinda ok (good)
b) You can obviously never expect to get very high percentage support, so never try to
   propose something one would have to DEPEND upon.

What else ?

2) Hurting routers

Here is i think what would be important to consider investigating, to learn something
i am quite interested in and i am not sure the current procedures do this:

Are routers hurting because of the options being processed ?

My now rather old experience, was that we did have routers hurting by doing slow-path
processing of traffic. And that did lead to the disabling/filtering of traffic with 
the properties that lead to slow-path processing.

This is really nasty, because the applications relying on that behavior did worked at
first, then they became popular, causing too much pain and then they where filtered.

Maybe one option to test for hurting would be to do an actual throughput test of
TCP (or equally CC UDP): one flow without the option, one flow with the option. Run
in parallel for 10..30 seconds, and in the end compare the numbers. If the throughput
is significantly lower with the option applied, then we should assume that some router
along the way could have been hurting. Of course, if one would do maybe more flows in parallel
50/50 with/without option, the results might become better. Room for research.

(past work did look into latency, which was increased because of slow-path, but IMHO that
 does not work well enough across long Internet paths.)

Cheers
    Toerless

On Mon, Mar 21, 2022 at 02:34:55AM +1100, Mark Smith wrote:
> Hi Eric,
> 
> On Sun, 20 Mar 2022 at 23:06, Eric Vyncke (evyncke) <evyncke@cisco.com> wrote:
> >
> > Mark,
> >
> >
> >
> > Actually, the only reason was that we have assumed that as IPsec VPN works (albeit often over UDP encapsulation) accross the Internet, it was useless to test ESP 'fate' when crossing the global Internet.
> >
> >
> 
> That's part of my interest. UDP encapsulation of ESP is to facilitate
> IPv4 NAT traversal (RFC3948), so UDP encapsulation of ESP shouldn't be
> necessary on the IPv6 Internet.
> 
> It also relates to RFC6092, "Recommended Simple Security Capabilities
> in Customer Premises Equipment (CPE) for Providing Residential IPv6
> Internet Service". That has a general recommended inbound default deny
> (as expected), however defaults to allowing IKE and ESP because
> they;re authenticated and encrypted protocols. Going by the Microsoft
> Xbox presentation, they have been assuming this residential CPE
> IKE/ESP default permit.
> 
> So one perspective on testing ESP transparency could be that as
> residential CPE is supposed to allow it per RFC6092, so how successful
> is the Internet in carrying it?
> 
> >
> > The cost of adding ESP on our next run is rather small of course and we would add it.
> >
> >
> 
> Excellent.
> 
> 
> 
> Thanks very much,
> Mark.
> 
> >
> > Regards and thanks for reading our draft and commenting on it,
> >
> >
> >
> > -éric
> >
> >
> >
> > From: Mark Smith <markzzzsmith@gmail.com>
> > Date: Sunday, 20 March 2022 at 12:08
> > To: Eric Vyncke <evyncke@cisco.com>
> > Cc: v6ops list <v6ops@ietf.org>
> > Subject: Re: [v6ops] FW: New Version Notification for draft-vyncke-v6ops-james-01.txt
> >
> >
> >
> > Hi,
> >
> >
> >
> > Any specific reason why ESP hasn't been/isn't being tested?
> >
> >
> >
> > One way to think of what ESP does is that it enforces through encryption the Internet transparency to packet payloads that should already exist. Blocking ESP is in a sense an assertion that the network doing the ESP blocking is stating that it is going to inspect packet payloads because it is forcing clear text packets.
> >
> >
> >
> > I'm also interested because this presentation from Microsoft about the Xbox One, from Nanog 59/2013, says that the Xbox One uses IPv6 + IPsec in transport mode. I haven't heard of any issues with Xbox and IPv6 + IPsec, however it could be useful to have a measure of IPv6 Internet ESP transparency.
> >
> > https://archive.nanog.org/sites/default/files/wed.general.palmer.xbox_.47.pdf
> >
> > Regards,
> >
> > Mark.
> >
> > On Sun, 20 Mar 2022, 18:03 Eric Vyncke (evyncke), <evyncke=40cisco.com@dmarc.ietf.org> wrote:
> >
> > The major changes are:
> > - adding measurements for destination options header with different lengths
> > - adding measurements about two (mainly IPv6) protocols, 59 (NoNextHeader) and 143 (Ethernet payload per RFC 8986)
> > - adding the source code repo
> >
> > Minor changes include typo fixes, change of the document flow, ...
> >
> > The authors are looking forward to discussing this document at IEPG on Sunday and V6OPS WG meeting. Comments and suggestions will be welcome.
> >
> > Regards
> >
> > -éric
> >
> >
> > -----Original Message-----
> > From: "internet-drafts@ietf.org" <internet-drafts@ietf.org>
> > Date: Sunday, 20 March 2022 at 07:55
> > To: Raphaël Léas <raphael.leas@student.uliege.be>, Eric Vyncke <evyncke@cisco.com>, Eric Vyncke <evyncke@cisco.com>, Justin Iurman <justin.iurman@uliege.be>, Raphaël Léas <raphael.leas@student.uliege.be>
> > Subject: New Version Notification for draft-vyncke-v6ops-james-01.txt
> >
> >
> >     A new version of I-D, draft-vyncke-v6ops-james-01.txt
> >     has been successfully submitted by Éric Vyncke and posted to the
> >     IETF repository.
> >
> >     Name:               draft-vyncke-v6ops-james
> >     Revision:   01
> >     Title:              Just Another Measurement of Extension header Survivability (JAMES)
> >     Document date:      2022-03-20
> >     Group:              Individual Submission
> >     Pages:              17
> >     URL:            https://www.ietf.org/archive/id/draft-vyncke-v6ops-james-01.txt
> >     Status:         https://datatracker.ietf.org/doc/draft-vyncke-v6ops-james/
> >     Html:           https://www.ietf.org/archive/id/draft-vyncke-v6ops-james-01.html
> >     Htmlized:       https://datatracker.ietf.org/doc/html/draft-vyncke-v6ops-james
> >     Diff:           https://www.ietf.org/rfcdiff?url2=draft-vyncke-v6ops-james-01
> >
> >     Abstract:
> >        In 2016, RFC7872 has measured the drop of packets with IPv6 extension
> >        headers.  This document presents a slightly different methodology
> >        with more recent results.  It is still work in progress.
> >
> >
> >
> >
> >     The IETF Secretariat
> >
> >
> >
> > _______________________________________________
> > v6ops mailing list
> > v6ops@ietf.org
> > https://www.ietf.org/mailman/listinfo/v6ops
> 
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops

-- 
---
tte@cs.fau.de

v2.23.0 | Report a Bug | By Email