[v6ops] Re: [tsvwg] Re: Carrying large DNS packets over UDP in IPv6 networks

Simon <linux@thehobsons.co.uk> Fri, 21 June 2024 18:28 UTC

Return-Path: <linux@thehobsons.co.uk>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 25DB7C14F6B2; Fri, 21 Jun 2024 11:28:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.905
X-Spam-Level:
X-Spam-Status: No, score=-1.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YZDARkC7ej-v; Fri, 21 Jun 2024 11:28:47 -0700 (PDT)
Received: from patsy.thehobsons.co.uk (patsy.thehobsons.co.uk [80.229.10.150]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9DFE4C14F6E4; Fri, 21 Jun 2024 11:28:44 -0700 (PDT)
X-Virus-Scanned: Debian amavisd-new at patsy.thehobsons.co.uk
Received: from smtpclient.apple (MacBook-Pro.thehobsons.co.uk [192.168.137.121]) by patsy.thehobsons.co.uk (Postfix) with ESMTPSA id BA0D31A07C; Fri, 21 Jun 2024 18:28:24 +0000 (UTC)
From: Simon <linux@thehobsons.co.uk>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.15\))
Date: Fri, 21 Jun 2024 19:28:24 +0100
References: <E35DC12F-D1CE-4AE5-B155-612C639A348B@gmail.com> <DU2PR02MB10160CCA998D5A86B9F11F2C388C22@DU2PR02MB10160.eurprd02.prod.outlook.com> <CACL_3VGzQfn9Gp+Wvx6HDZt=Gbyurirgt8Sa3qah7TpNgLiQug@mail.gmail.com> <BAEBA468-9B3E-41ED-B609-1D0A9D4A0F6E@gmail.com> <Zm81hsg9-O6A3GCQ@Space.Net> <fd1db63a-b735-4906-9416-80a118be15dc@gmail.com> <CACL_3VHkbVeno3i+T6saWCoVQnvmgvwxAWG34YK9EoHBubmPHw@mail.gmail.com> <DA850D92-422D-4F74-961E-7B4A6038B33C@strayalpha.com> <CAO42Z2yuYo0asVB9r-vTp5gJtja-N9ARrhAGnqSj8LxAAkcF3w@mail.gmail.com>
To: Mark Smith <markzzzsmith@gmail.com>, "v6ops@ietf.org" <v6ops@ietf.org>, "tsvwg@ietf.org" <tsvwg@ietf.org>
In-Reply-To: <CAO42Z2yuYo0asVB9r-vTp5gJtja-N9ARrhAGnqSj8LxAAkcF3w@mail.gmail.com>
Message-Id: <488260EF-E73E-40AA-BCB1-27A6262565C1@thehobsons.co.uk>
X-Mailer: Apple Mail (2.3654.120.0.1.15)
Message-ID-Hash: 4TPB6FRG6OPF6OCK74Z4CWXSZEB53KJF
X-Message-ID-Hash: 4TPB6FRG6OPF6OCK74Z4CWXSZEB53KJF
X-MailFrom: linux@thehobsons.co.uk
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-v6ops.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [v6ops] Re: [tsvwg] Re: Carrying large DNS packets over UDP in IPv6 networks
List-Id: v6ops discussion list <v6ops.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/C-eP-siJuyAzf-4Tdq5EdvS5DTs>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Owner: <mailto:v6ops-owner@ietf.org>
List-Post: <mailto:v6ops@ietf.org>
List-Subscribe: <mailto:v6ops-join@ietf.org>
List-Unsubscribe: <mailto:v6ops-leave@ietf.org>

On 17 Jun 2024, at 03:14, Mark Smith <markzzzsmith@gmail.com> wrote:

> I was surprised how often IP fragments were being dropped over the
> Internet through peoples' measurements because I've seen and
> configured packet filters many times on IP routers for many
> organisations and ISPs and have never explicitly dropped them nor have
> heard of people explicitly dropping them.
> 
> I realised it is more likely a symptom of the way people are taught to
> do packet filters, and that they're specifically not taught to allow
> IP fragments.
> 
> This following would be a typical example* of how people are taught to
> do something like "permit" DNS over UDP, yet it would drop any IP
> fragments containing UDP port 53 fragments.
> 
> access-list 100 permit udp any any eq 53
> access-list 100 deny ip any any

And indeed, as a “general IT guy that does(did) some networking” person, that is the only way I’ve ever known (give or take different firewall CLI syntax).
TBH, I hadn’t realised that IPv6 behaves differently to IPv4 in this (if I read the thread correctly). I’ve done the HE/TunnelBroker IPv6 online, and got what I’ve heard described as the geekiest tee shirt ever, so in the eyes of many I’ve considered a guru - but in reality I know enough to be dangerous and probably more than most people who will be running networks outside of quite large enterprises.
But this was news to me.

> * "Configure Commonly Used IP ACLs", last updated on November 21st
> 2023, mentions the 'fragments' option in the ACL command syntax,
> however doesn't describe it or demonstrates using it in "commonly used
> IP ACLs".
> https://www.cisco.com/c/en/us/support/docs/ip/access-lists/26448-ACLsamples.html

Indeed.

Given how many documents around the internet will copy that basic filter syntax, I would suggest it’s now a done deal that the internet needs to live with it.



Regards, Simon