IETF Logo Mail Archive

Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-world: clarification text

Nick Hilliard <nick@foobar.org> Wed, 22 April 2015 16:55 UTC

Return-Path: <nick@foobar.org>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E1A041B3807 for <v6ops@ietfa.amsl.com>; Wed, 22 Apr 2015 09:55:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SNhU_UFuRV4q for <v6ops@ietfa.amsl.com>; Wed, 22 Apr 2015 09:55:20 -0700 (PDT)
Received: from mail.netability.ie (mail.netability.ie [IPv6:2a03:8900:0:100::5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E86861B380D for <v6ops@ietf.org>; Wed, 22 Apr 2015 09:55:08 -0700 (PDT)
X-Envelope-To: v6ops@ietf.org
Received: from cupcake.foobar.org ([IPv6:2001:4d68:2002:100:0:0:0:110]) (authenticated bits=0) by mail.netability.ie (8.15.1/8.14.9) with ESMTPSA id t3MGt4X5097613 (version=TLSv1.2 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 22 Apr 2015 17:55:05 +0100 (IST) (envelope-from nick@foobar.org)
X-Authentication-Warning: cheesecake.netability.ie: Host [IPv6:2001:4d68:2002:100:0:0:0:110] claimed to be cupcake.foobar.org
Message-ID: <5537D268.1010603@foobar.org>
Date: Wed, 22 Apr 2015 17:55:04 +0100
From: Nick Hilliard <nick@foobar.org>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: Mark ZZZ Smith <markzzzsmith@yahoo.com.au>, "v6ops@ietf.org" <v6ops@ietf.org>
References: <5536814D.7030708@foobar.org> <1347296409.2158102.1429683600983.JavaMail.yahoo@mail.yahoo.com>
In-Reply-To: <1347296409.2158102.1429683600983.JavaMail.yahoo@mail.yahoo.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/v6ops/IEgkWf_E6QOdteqeO8HZB-aCKYQ>
Subject: Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-world: clarification text
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Apr 2015 16:55:23 -0000

Mark,

Gert and Steiner have answered many of the issues which you bring up.

On 22/04/2015 07:20, Mark ZZZ Smith wrote:
> So I'm going to call the emperor naked.

The emperor is not naked.  We live in a real world with real constraints.

> What I think you and Gert actually want is for EHs to be completely
> deprecated, so that the TCP and UDP headers are always in the same place in
> the packet, so that hardware can look at them for the purposes of dropping
> them in hardware or as inputs into LB. Is that the case?

Nope, EHs cannot be removed from the spec and no-one is suggesting this.
As Steiner said, we need something like:

>  [IPv6 Fixed Hdr] + [IPv6 EHs] + [L4 Hdr] <= hardware inspection limit

I'd suggest that we need a chunk of encapsulation overhead in that
equation.  The hardware inspection limit will vary, but the larger it is,
the more expensive both in terms of financial cost and performance.

> What I'm curious about then is how do you handle DDoSes that are using IP
> fragments, where there are no TCP or UDP headers ports to look at?

s/rtbh or d/rtbh, depending on which looks like it will be more effective.
 But please don't try to imply that because something is broken in ipv4
that we should be ok if it's broken in ipv6 too.  This is a unhelpful fallacy.

> I'm also curious about how you LB packets (either at layer 2 or layer 3)
> that don't have TCP or UDP headers, or aren't IP. I've seen LB become
> completely ineffective at layer 2 because a customer was using MPLS between
> two routers, so no MAC address variation, and no IP addresses and no TCP or
> UDP ports to look at.

tbh, with great difficulty and expense.  I spend an inordinate amount of
time trying to deal with this particular problem.  And if it's bad for the
L3 ISP stuff I do, it's far worse on an L2 IXP lan.

> In fact, given the trouble LAG has caused me in the past 2 years (LAG
> member links that are not current members are supposed to be considered by
> the bridge as normal bridge ports, so if you want to avoid loops across the
> links that are candidate members of the LAG, the IEEE expect you to be
> running STP of some form across them...)

yep, bridges require bridging protocols for loop avoidance.

>, I'm a big fan of the quote on the
> last slide of this presentation:
> 
> "IEEE 802.3ad Link Aggregation (LAG) what it is, and what it is not"
> http://www.ieee802.org/3/hssg/public/apr07/frazier_01_0407.pdf
> 
> "LAG is good, but it’s not as good as a fatter pipe."

which is fine until the point that a fatter pipe will not handle all the
data you need to transfer.  If I had a choice about using LAGs, I wouldn't
use them.  I don't have that choice.

Nick

v2.23.0 | Report a Bug | By Email