IETF Logo Mail Archive

Re: [v6ops] WG Doc? draft-gont-v6ops-ipv6-ehs-packet-drops

Lorenzo Colitti <lorenzo@google.com> Thu, 17 March 2016 13:42 UTC

Return-Path: <lorenzo@google.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3322712DBE4 for <v6ops@ietfa.amsl.com>; Thu, 17 Mar 2016 06:42:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d2q6YvajHpzx for <v6ops@ietfa.amsl.com>; Thu, 17 Mar 2016 06:42:39 -0700 (PDT)
Received: from mail-yw0-x235.google.com (mail-yw0-x235.google.com [IPv6:2607:f8b0:4002:c05::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 438B712DBF3 for <v6ops@ietf.org>; Thu, 17 Mar 2016 06:42:29 -0700 (PDT)
Received: by mail-yw0-x235.google.com with SMTP id m126so76153618ywd.0 for <v6ops@ietf.org>; Thu, 17 Mar 2016 06:42:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=ia9a/XfPow17YgdtjjL8/d+MhSs0YDWc72QP5vl+JRo=; b=WTaHi7UuaMpgHvYIGNIRgMueWO50noJbss2H4TpBWQoWOJ6Hev2Ci9ZQcRETELn0tC ccbLZ5noutLnwWW8UZwLwQWDQNabTMyVI1YOiZrxVEZNuvCKsmFN5zEr12L2VYB3Z4Bi bFEcPmLRNYnUAyUBR99Zr8+WVxtuHxhd6dHgkw/aQzBAHablwqjmiG0kAmkGUAlG+1G5 EjdWCsxIG4V07ifhTXw8IyAiQVTR0rQvIYujj0lMO4vUq35/nz/enyMkrbl23t5XYqMc ZDhxkit6mZktWKqHrE+7tDa+yswvQYOjH6VvtrsUGhf6n8Bi8sagcboE1F2D4rSBnVv3 fe8w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=ia9a/XfPow17YgdtjjL8/d+MhSs0YDWc72QP5vl+JRo=; b=IHGiCP0Z3pOI3d5bIXkAB9Kjb+GcVj2O55mFHKN1kQb0lgoDN7ygvh/qy1/84ZL4KM mjUCRCiWstpzXcwouTjfe/FS6sbedW5D6yrIKYeHvDskT56d8PTMBnddKdGQ3kuBbTxx zuxB+wTJQ+7ZHxaCM9wsTA/Wxrjf1LJ+QnGeMTjwlYB0pcYr4k6b+zwL8837tZzlZFPY LU/Q+41Ge2xdgQvLW1CstZ1Zcs/ksIk9TRV3ERfdScl1q9Yj1L4wrLoGXQPwGfss3ON0 7zQ8/RmXEnGTm+nEjSKRql7ym/ZZCtrD9dxpK0/d4mGOCoyf5nWG4cNj0zS1Lij6LKRL u1LQ==
X-Gm-Message-State: AD7BkJJil03JOmM8ryvV1v4mhKlmMf/L2dTkDKsAwuy52Mv2F6vsGOJgbJrQ+sq4QcfOypBn7Yax9biEHKlo6g8e
X-Received: by 10.37.230.83 with SMTP id d80mr4153692ybh.186.1458222148405; Thu, 17 Mar 2016 06:42:28 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.37.19.65 with HTTP; Thu, 17 Mar 2016 06:42:08 -0700 (PDT)
In-Reply-To: <56EA93C0.1040904@si6networks.com>
References: <A277BE71-BD70-4AFE-97DA-F224D7DBBCB8@cisco.com> <CALx6S37vfDcchTa5Tch+BS8rQAGgPP_EeYbVz19WBchSHTqExg@mail.gmail.com> <56E60B0D.6070600@gmail.com> <CALx6S36_Vi4XZfPvCNY42zpbXy9dXeXzwE8KedxYDhne371HHA@mail.gmail.com> <56E6326B.2090303@gmail.com> <CALx6S353ognNHWnjbNSdW5hb_e6Hv3LqLa_r+e9yEW4F=cjH=A@mail.gmail.com> <56E6FC18.1060304@foobar.org> <CALx6S35pcSj_LLnDWJ68KwSYiHeu6FwrXTaR4N2xE6aY7MRO1A@mail.gmail.com> <CAHw9_iLbqEvsw0x4dDcA3Zy3SXKUROcQuy5nSynsL9Xi+xrZLg@mail.gmail.com> <566C93D0-62FF-4700-BC05-7F9AF12AF1BD@employees.org> <56E892B8.9030902@foobar.org> <394925FE-FAB1-4FFC-B1CF-4F64CC58F613@employees.org> <56E94275.20700@foobar.org> <3AE1DE20-D735-4262-A3FB-7C01F30BAFA2@employees.org> <56E96F74.7000206@foobar.org> <CALx6S37zP4UvCtBJsvnPN6OmDB0OQDMfRrJNy1XF0t4COStUjQ@mail.gmail.com> <EE17974D-EDA4-4732-B29E-B2B3BC36DB86@employees.org> <56E9A16B.4030605@si6networks.com> <A2634C00-EBF8-48DA-9604-790F5213F536@employees.org> <56EA93C0.1040904@si6networks.com>
From: Lorenzo Colitti <lorenzo@google.com>
Date: Thu, 17 Mar 2016 22:42:08 +0900
Message-ID: <CAKD1Yr0HKZXVA5ZkW21zROohEUHtvnZN4YFOCw5wixHw1GDCKQ@mail.gmail.com>
To: Fernando Gont <fgont@si6networks.com>
Content-Type: multipart/alternative; boundary="94eb2c0af9a82960b5052e3ecd28"
Archived-At: <http://mailarchive.ietf.org/arch/msg/v6ops/EPj_bgERe3yB19yGRD-kG9kPDko>
Cc: "v6ops@ietf.org" <v6ops@ietf.org>
Subject: Re: [v6ops] WG Doc? draft-gont-v6ops-ipv6-ehs-packet-drops
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Mar 2016 13:42:42 -0000

On Thu, Mar 17, 2016 at 8:23 PM, Fernando Gont <fgont@si6networks.com>
wrote:

> Every time we talked about EHs, you asked the same question: "why do you
> need to obtain the layer-4 information, if you're supposed to just fwd
> packets?"
>

I disagree with the characterization of the problem. Intermediate routers
don't typically need to find the layer-4 header. If operators configure
them to do so, then such operators are also free to configure the boxes to
drop the packets if they can't find the layer-4 header.

As regards ACLs: the extension headers are a part of the packet just like
any other, and security policies can do whatever they wish with them. You
can certainly define a security policy that allows no extension headers at
all if you wish.

As regards hashing: traversing the whole length of the extension header
chain only to provide flow-based hashing is a bad use of processing power.
(If it's implemented in hardware, it's might also be a bad use of die
space, enercy, customer money, etc.) Using the flow label is much better.
So perhaps we should recommend that if hosts emit packets with extension
headers, they should also randomize the flowlabel.

v2.23.0 | Report a Bug | By Email