IETF Logo Mail Archive

Re: [v6ops] Operational Implications of IPv6 Packets with Extension Headers - Load Balancer

Tom Herbert <tom@herbertland.com> Mon, 27 July 2020 22:25 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BCDE83A08DB for <v6ops@ietfa.amsl.com>; Mon, 27 Jul 2020 15:25:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.888
X-Spam-Level:
X-Spam-Status: No, score=-1.888 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, T_SPF_TEMPERROR=0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id buBilHF48fmI for <v6ops@ietfa.amsl.com>; Mon, 27 Jul 2020 15:25:08 -0700 (PDT)
Received: from mail-ej1-x641.google.com (mail-ej1-x641.google.com [IPv6:2a00:1450:4864:20::641]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D704C3A08F5 for <v6ops@ietf.org>; Mon, 27 Jul 2020 15:25:07 -0700 (PDT)
Received: by mail-ej1-x641.google.com with SMTP id g19so4842798ejc.9 for <v6ops@ietf.org>; Mon, 27 Jul 2020 15:25:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=S/43cs8fWlQyVrBglEA7HU2kuuCyoPwnjKtI32L9I6c=; b=xRvSU/oyUQamWfWBMXGYjvuFc667PYZAlVYaBv+0Qwid/CdSlkA7AdDtZ7sMS9kvxw Kv2058/ztsjTnDwF7YnF536DAdgrPenl7CJp/HNwOJ93Hf6FmDW07FMIGsLR/VuQ9C6E H0XRyKpf8IP0jXEz55HKeM/auTrGt2jUq9a+zsv6NWL0BTlEuX+IIKF9wojTHkELjf3j NIvA1p1qcMi3gmK7r7ZU5EQ54twbGEgg/bj3wDqmMFA6kaSDaPoUFBCIET7US8w9lXD4 rVMvjspXbMVhB0bJvt/tGOs/b3hXWaqOTq1DSZPeBmoKClLIHku3txyBEWc+LnaU4N9y WodA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=S/43cs8fWlQyVrBglEA7HU2kuuCyoPwnjKtI32L9I6c=; b=Z5jpY2uUkJzc9trbxL0UCEB4J/v+ncE7/BY0AISiFT6PegyLHsDrsxIwBlJs0Lm0ja Vza9s8DKPLe3wBfG6un2shwrmyo1csgJd4xqZtcIDciuDzF9WmBhZd7X14SPzwFo4CZM ZSs2zJt3Fv8LVHWVrTAz0HwTO7JyBR0u2dSMto14fFEJVz/20NITdosnVR7j03mA7cNt LxBozzAqpsgz/t3MLbMOPo62ENyxQNBMMWw0uLSUSstAd+AyArQQQqIfeQlYJ7bsORvy fHl2/c4ngiaoqCuIyCm3WpK0ffMH8IUUS2aEg7zBzw6N79VTQxl33t60WsV8mb+VAVwP rU0g==
X-Gm-Message-State: AOAM5333iZyezf0QmcbQeD/nR8GbkLwT30BBCS3VB42Yq9xu/E4/OfG3 VM+Jn12szIjd1N+Mjy9sfal7r0M8Et1WJqE+Xl1Q8DBN
X-Google-Smtp-Source: ABdhPJy4vArDsniO+hJ8rAjJRJZXD8ODIf5KO1b3zqqWnIlZmIHELvJbkFQXuXtcOqYWO7V8S6DvYJPUZ95KcO+jOVY=
X-Received: by 2002:a17:907:aaa:: with SMTP id bz10mr2942108ejc.304.1595888706165; Mon, 27 Jul 2020 15:25:06 -0700 (PDT)
MIME-Version: 1.0
References: <b380408712364589a45ab9f39ab6f764@huawei.com> <CALx6S35rkA5nVPm6C6MToUdHKFmcAabGfMN9prTiUfWr+GKwCA@mail.gmail.com> <6439ceb9d73b435d950e73a7a2d68fc7@huawei.com> <CALx6S37ih8VabN2PHvQ3ELDvV2DoiUqnd28LRxr4ofj6zUq3Jw@mail.gmail.com> <d4debe5c-4ffc-88e4-0b86-6b0dff5a8083@gmail.com>
In-Reply-To: <d4debe5c-4ffc-88e4-0b86-6b0dff5a8083@gmail.com>
From: Tom Herbert <tom@herbertland.com>
Date: Mon, 27 Jul 2020 15:24:55 -0700
Message-ID: <CALx6S37cw6b4NM1KadRJUFBpKKFD6_LXjcB7HkZ+8omh5a5xiQ@mail.gmail.com>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
Cc: Vasilenko Eduard <vasilenko.eduard@huawei.com>, Fernando Gont <fgont@si6networks.com>, IPv6 Operations <v6ops@ietf.org>, "draft-gont-v6ops-ipv6-ehs-packet-drops@ietf.org" <draft-gont-v6ops-ipv6-ehs-packet-drops@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/Gd01bk76JJsGGqci6dbWEaxvvkc>
Subject: Re: [v6ops] Operational Implications of IPv6 Packets with Extension Headers - Load Balancer
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Jul 2020 22:25:14 -0000

On Mon, Jul 27, 2020 at 2:01 PM Brian E Carpenter
<brian.e.carpenter@gmail.com> wrote:
>
> On 28-Jul-20 07:23, Tom Herbert wrote:
> > On Mon, Jul 27, 2020 at 11:05 AM Vasilenko Eduard
> > <vasilenko.eduard@huawei.com> wrote:
> >>
> >> Hi Tom,
> >> I believe that risk still exist that some application would no use flow label properly.
> >
> > Exactly which applications are you concerned about?
>
> Given that the most widespread socket APIs (POSIX and WinSock) do not allow
> an application to set the flow label, I too have that question.
>
Brian,

Flow label is automatically set per flow. The easiest way to do this
is to save a hash value in the connection context, in Linux that's
simply intialized to a random number and when packets are sent the low
order twenty bits of the value are simply copied into the flow label.
In cases where we don't have a connection context, like when we're
forwarding and encapsulating in IPv6, we hash over the packet four
tuples and use bits from that hash value. In most cases we can either
use the saved context hash or get a suitable 4-tuple hash from the
receiving device for "free", but if those are not available then we
will do the work to compute the hash in the CPU (expensive operations
for CPU so we try to avoid that).

Generally, we really don't want individual applications setting the
flow label, it's just as easy to let the kernel do it as it can
guarantee a proper uniform distribution, good waterfall properties in
the hash, and consistent use of the same hash for the lifetime of the
connection. The one exception is if the flow label has more semantics
that just being an entropy identifier, in that case there are APIs
that can be used.

Tom

> And again: please read RFC7098 where these issues are discussed in some
> depth. If that RFC is now out of date due to changing reality (such
> as TLS 1.3), please let us know.
>
>     Brian
>
> >
> >> Hence, it is better on LB to deep dive into UDP/TCP. More predictable/reliable result.
> >
> > You seem to be assuming a very limited traffic profile that consists
> > only of plain UDP/TCP packets. Any use case that deviates from that
> > then breaks your LB (i.e. encapsulation, tunneled encryption, SCTP,
> > IPSec, etc.). Flow label is in all IPv6 packets and is mostly set
> > properly for the vast majority of packets on the Internet and
> > processing it is completely independent of the protocols, so when
> > taking the full scope of the problem into account it is actually more
> > generic and more predictable/reliable.
> >
> > Tom
> >
> >> Eduard
> >> -----Original Message-----
> >> From: Tom Herbert [mailto:tom@herbertland.com]
> >> Sent: 27 июля 2020 г. 17:15
> >> To: Vasilenko Eduard <vasilenko.eduard@huawei.com>
> >> Cc: Fernando Gont <fgont@si6networks.com>; IPv6 Operations <v6ops@ietf.org>; draft-gont-v6ops-ipv6-ehs-packet-drops@ietf.org
> >> Subject: Re: [v6ops] Operational Implications of IPv6 Packets with Extension Headers - Load Balancer
> >>
> >> On Mon, Jul 27, 2020 at 2:08 AM Vasilenko Eduard <vasilenko.eduard@huawei.com> wrote:
> >>>
> >>> Hi Fernando,
> >>> Hence again, following the logic of this draft (the level of detalization that you have given to 5.1) - may be you need additional section 5.1.x: Load Balancer have to look into TCP/UDP ports. Moreover, it could not trust "Flow label" - it is not reliable practice for LB.
> >>
> >> Eduard,
> >>
> >> What exactly does "not reliable practice for LB" mean.? If this means that the flow label might change during the flow's lifetime then I will point out that UDP is equally unreliable for that reason (i.e.
> >> the UDP ports for a QUIC connection can change during the connection's lifetime). For that matter, a TCP header might be encrypted or in an encapsulation that the LB doesn't understand so the LB can't access the TCP ports at all-- in the this case the flow label is actually more reliable than TCP since it's never encrypted and is purposely designed to be consumed by intermediate nodes without the need for expensive DPI.
> >>
> >> Tom
> >>> Or alternatively you could say something about LB in section 5.1.2,
> >>> but because it is a little special case - may be better to have
> >>> separate 5.1.x
> >>>
> >>> Eduard
> >>> -----Original Message-----
> >>> From: v6ops [mailto:v6ops-bounces@ietf.org] On Behalf Of Fernando Gont
> >>> Sent: 26 июля 2020 г. 8:46
> >>> To: IPv6 Operations <v6ops@ietf.org>
> >>> Cc: draft-gont-v6ops-ipv6-ehs-packet-drops@ietf.org
> >>> Subject: [v6ops] Operational Implications of IPv6 Packets with
> >>> Extension Headers (Fwd: New Version Notification for
> >>> draft-gont-v6ops-ipv6-ehs-packet-drops-04.txt)
> >>>
> >>> Folks,
> >>>
> >>> We have posted a rev of our IETF I-D "Operational Implications of IPv6 Packets with Extension Headers".
> >>>
> >>> The I-D is available at:
> >>> https://www.ietf.org/internet-drafts/draft-gont-v6ops-ipv6-ehs-packet-
> >>> drops-04.txt
> >>>
> >>> Your feedback will be appreciated.
> >>>
> >>> Thanks!
> >>>
> >>> Cheers,
> >>> Fernando
> >>>
> >>>
> >>>
> >>>
> >>> -------- Forwarded Message --------
> >>> Subject: New Version Notification for
> >>> draft-gont-v6ops-ipv6-ehs-packet-drops-04.txt
> >>> Date: Sat, 25 Jul 2020 22:28:50 -0700
> >>> From: internet-drafts@ietf.org
> >>> To: Fernando Gont <fgont@si6networks.com>, Gert Doering
> >>> <gert@space.net>, Geoff Huston <gih@apnic.net>, Warren Kumari
> >>> <warren@kumari.net>, Nick Hilliard <nick@inex.ie>
> >>>
> >>>
> >>> A new version of I-D, draft-gont-v6ops-ipv6-ehs-packet-drops-04.txt
> >>> has been successfully submitted by Fernando Gont and posted to the IETF repository.
> >>>
> >>> Name:           draft-gont-v6ops-ipv6-ehs-packet-drops
> >>> Revision:       04
> >>> Title:          Operational Implications of IPv6 Packets with Extension Headers
> >>> Document date:  2020-07-25
> >>> Group:          Individual Submission
> >>> Pages:          15
> >>> URL:
> >>> https://www.ietf.org/internet-drafts/draft-gont-v6ops-ipv6-ehs-packet-
> >>> drops-04.txt
> >>> Status:
> >>> https://datatracker.ietf.org/doc/draft-gont-v6ops-ipv6-ehs-packet-drop
> >>> s/
> >>> Htmlized:
> >>> https://tools.ietf.org/html/draft-gont-v6ops-ipv6-ehs-packet-drops-04
> >>> Htmlized:
> >>> https://datatracker.ietf.org/doc/html/draft-gont-v6ops-ipv6-ehs-packet
> >>> -drops
> >>> Diff:
> >>> https://www.ietf.org/rfcdiff?url2=draft-gont-v6ops-ipv6-ehs-packet-dro
> >>> ps-04
> >>>
> >>> Abstract:
> >>>     This document summarizes the security and operational implications of
> >>>     IPv6 extension headers, and attempts to analyze reasons why packets
> >>>     with IPv6 extension headers may be dropped in the public Internet.
> >>>
> >>>
> >>>
> >>>
> >>> Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org.
> >>>
> >>> The IETF Secretariat
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> v6ops mailing list
> >>> v6ops@ietf.org
> >>> https://www.ietf.org/mailman/listinfo/v6ops
> >>>
> >>> _______________________________________________
> >>> v6ops mailing list
> >>> v6ops@ietf.org
> >>> https://www.ietf.org/mailman/listinfo/v6ops
> >>>
> >>> _______________________________________________
> >>> v6ops mailing list
> >>> v6ops@ietf.org
> >>> https://www.ietf.org/mailman/listinfo/v6ops
> >
> > _______________________________________________
> > v6ops mailing list
> > v6ops@ietf.org
> > https://www.ietf.org/mailman/listinfo/v6ops
> >
>

v2.23.0 | Report a Bug | By Email