Re: [v6ops] Operational Implications of IPv6 Packets with Extension Headers - Load Balancer

Nick Hilliard <nick@foobar.org> Wed, 29 July 2020 20:46 UTC

Return-Path: <nick@foobar.org>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 253E03A0EF2; Wed, 29 Jul 2020 13:46:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k_8GXoT3yR-w; Wed, 29 Jul 2020 13:46:37 -0700 (PDT)
Received: from mail.netability.ie (mail.netability.ie [IPv6:2a03:8900:0:100::5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6DDEA3A0EF4; Wed, 29 Jul 2020 13:46:37 -0700 (PDT)
X-Envelope-To: v6ops@ietf.org
Received: from crumpet.local (admin.ibn.ie [46.182.8.8]) (authenticated bits=0) by mail.netability.ie (8.15.2/8.15.2) with ESMTPSA id 06TKkXBq094749 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 29 Jul 2020 21:46:34 +0100 (IST) (envelope-from nick@foobar.org)
X-Authentication-Warning: cheesecake.ibn.ie: Host admin.ibn.ie [46.182.8.8] claimed to be crumpet.local
To: Tom Herbert <tom@herbertland.com>
Cc: IPv6 Operations <v6ops@ietf.org>, "draft-gont-v6ops-ipv6-ehs-packet-drops@ietf.org" <draft-gont-v6ops-ipv6-ehs-packet-drops@ietf.org>
References: <b380408712364589a45ab9f39ab6f764@huawei.com> <CALx6S35rkA5nVPm6C6MToUdHKFmcAabGfMN9prTiUfWr+GKwCA@mail.gmail.com> <6439ceb9d73b435d950e73a7a2d68fc7@huawei.com> <CALx6S37ih8VabN2PHvQ3ELDvV2DoiUqnd28LRxr4ofj6zUq3Jw@mail.gmail.com> <947a50398cbb4bbcad85462a69d7dd45@huawei.com> <CALx6S35FX-SNoNFhd2JXFio9B0vGVyXGkeob=7x+dn6u4qOaVw@mail.gmail.com> <42B3046E-6157-4460-A10B-F13E299340B6@apnic.net> <4720fdaa-71b6-4816-e800-938c01a30abb@gmail.com> <CALx6S342x_u4pLD5DpYKh=_u1e0dLujgrmoxfKpeuE5SbZerEA@mail.gmail.com> <d6cc0f77-151f-060f-54f0-2987597ff11f@si6networks.com> <32d99263-7176-3188-b9d2-72a67c6ed3d6@gmail.com> <d2beec78-4d21-1583-db30-0753dcceebe1@si6networks.com> <CALx6S35PTX_0uUS-11f8C9rxuuMEC+gq9H_ERjnLRmD2u6nXww@mail.gmail.com>
From: Nick Hilliard <nick@foobar.org>
Message-ID: <f978ac40-c40d-900e-28d0-9f052392b224@foobar.org>
Date: Wed, 29 Jul 2020 21:46:32 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:52.0) Gecko/20100101 PostboxApp/7.0.24
MIME-Version: 1.0
In-Reply-To: <CALx6S35PTX_0uUS-11f8C9rxuuMEC+gq9H_ERjnLRmD2u6nXww@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-GB
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/I2XZ88wgHbI1m69hpOiQn0kmA24>
Subject: Re: [v6ops] Operational Implications of IPv6 Packets with Extension Headers - Load Balancer
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jul 2020 20:46:40 -0000

Tom Herbert wrote on 29/07/2020 17:37:
> I agree with that and I do appreciate that section 3 of the draft
> describes several of the mitigations to make EH processing more
> palatable like the provision of RFC8200 that allows nodes to ignore
> HBH and the limits in RFC8504. It might be helpful in the draft to
> mention the relevant mitigations when discussing specific reasons for
> drops. For instance, if DOS is being discussed then RFC8504 should be
> mentioned in reference since the one purpose of limits on number of
> options is to mitigate DOS attacks (i.e. without limits an attacker
> could fill an MTU with 100s of unknown HBH options that an
> implementation, SW or HW, will choke on it).

there are often no mitigations as limits are often related to hardware.

> Another area that should be elaborated here, or maybe necessitates a
> separate document, is the parsing buffer problem described in section
> 5.1.1 by "If an IPv6 header chain is sufficiently long that its header
> exceeds the packet look-up capacity of the router, then it may be
> dropped due to hardware inability to determine how it should be
> handled.". I believe this is a real problem, but it's never been
> quantified. For instance, when a host creates a packet how can it > possibly guess than some router in the path will drop the packet
> because the header chain is too long (not just IPv6 header chain by
> the way, but really all headers a node needs to process which can
> include transport or even transport payload).

First, only SRv6 proposes to add EHs and I think we're all familiar with 
the difficulties that were outlined in that discussion.

So in the general case, it's up to the host to decide how many EHs to 
attach to a packet.  Obviously as there's no EH negotiation mechanism, 
there's no way for a host to know what will work and what won't, and 
even if there were, intermediate paths change so what might work on 
setup might not work later on.  We have the same problem with MTUs.

There are some limits already defined in IETF standards track documents 
(e.g. that you can have no more than a single packet with EHs attached), 
but real life limits are much lower.

It may be useful for a future document to quantify the problem.  This 
aim of this document is to state that there's a problem.

Nick