IETF Logo Mail Archive

Re: [v6ops] new draft: draft-taylor-v6ops-fragdrop

Joe Touch <touch@isi.edu> Wed, 31 October 2012 18:59 UTC

Return-Path: <touch@isi.edu>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AEDBE21F8720 for <v6ops@ietfa.amsl.com>; Wed, 31 Oct 2012 11:59:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.599
X-Spam-Level:
X-Spam-Status: No, score=-104.599 tagged_above=-999 required=5 tests=[AWL=2.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id raL4eNVugCPb for <v6ops@ietfa.amsl.com>; Wed, 31 Oct 2012 11:59:42 -0700 (PDT)
Received: from boreas.isi.edu (boreas.isi.edu [128.9.160.161]) by ietfa.amsl.com (Postfix) with ESMTP id 2D55421F85CD for <v6ops@ietf.org>; Wed, 31 Oct 2012 11:59:42 -0700 (PDT)
Received: from [128.9.160.166] (abc.isi.edu [128.9.160.166]) (authenticated bits=0) by boreas.isi.edu (8.13.8/8.13.8) with ESMTP id q9VIwvo3022133 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 31 Oct 2012 11:58:57 -0700 (PDT)
Message-ID: <509174F1.8080809@isi.edu>
Date: Wed, 31 Oct 2012 11:58:57 -0700
From: Joe Touch <touch@isi.edu>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20121026 Thunderbird/16.0.2
MIME-Version: 1.0
To: Fernando Gont <fgont@si6networks.com>
References: <CAKD1Yr13cNspdWvTaXxHt4R_8UB-CKeA4nq8_XWrkbFGCgW7Gg@mail.gmail.com> <5090DECF.3050100@gmail.com> <CAKD1Yr1dUy-f78A2+kfA7NjpzD0WQRT8iwqGYAm5A=Erodpn-A@mail.gmail.com> <20121031.122110.41655699.sthaug@nethelp.no> <50910E41.2030100@gmail.com> <CAKD1Yr0mTTcVeq+Qf0fLv3UCBP_90QmStkK3Ha4tDdm3FxJjVA@mail.gmail.com> <50915F86.7050304@gmail.com> <509165B8.404@si6networks.com> <509169C2.9040208@isi.edu> <50916F21.6030303@si6networks.com>
In-Reply-To: <50916F21.6030303@si6networks.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Cc: v6ops@ietf.org
Subject: Re: [v6ops] new draft: draft-taylor-v6ops-fragdrop
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Oct 2012 18:59:42 -0000

On 10/31/2012 11:34 AM, Fernando Gont wrote:
> On 10/31/2012 04:11 PM, Joe Touch wrote:
>> Yes, but the whole point of the IPv6 option architecture was to avoid
>> the issues seen with IPv4 options.
>
> The only thing in that IPv6 would avoid is requiring routers to parse
> *all* options, just to find the ones that need to be processed by routers.

Yes.

However, since fragmentation is near the end of the set of possible 
options, that means that ANY recommendations about how IPv6 routers 
handle options will require deep option parsing. How does that help?

> While the IPv6 extension header syntax is good in terms of extensibility
> (in principle, you can include as many options as you want, it also
> allows for pathological cases in which the header chain is split among
> multiple fragments (we're working on fixing that one), and also requires
> any box that wants to find the upper-layer header to parse the entire
> IPv6 header chain -- something that a large number of devices cannot do
> at wire speed.

I thought we were talking more about fragmentation - which defeats 
filtering on upper layer info anyway.

The non-HBH options can be split across fragments, but not the HBH ones.

> For filtering purposes, it'd been interesting to have a pointer to the
> upper-layer header -- although with the original specs, it might simply
> not be there. With IPv4, at the very least it's trivial to find the
> upper layer protocol: just skip the first IHL of the packet, and you're
> there. With IPv6, at leasts in theory, it might be impossible (unless
> you reassemble-filter-and-refragment).

In both cases fragmentation defeats DPI. But then so does IPsec.

Yes, IPv6's chained header structure is not DPI-friendly. But this isn't 
news, is it?

>> Consider that:
>>
>>      - routers don't like fragments because they can't inspect them
>>
>>      - so we tunnel and fragment in a higher level protocol
>>
>>          the router now needs to implement the higher protocol
>>          and still fragment or else we cannot have tunnels
>>
>>          the routers on the path still cannot inspect the
>>          higher-level fragments
>>
>> So we're back to the reason this all breaks - routers doing something
>> that we simply cannot support in the architecture.
>
> It's probably time to accept that firewalls and routers implementing
> ACLs are part of the architecture.

We need to accept one of three things:

	DPI is part of the architecture
		either don't use IPv6 options
		or don't use IPv6

	IPv6 options are part of the architecture
		DPI isn't meaningful anymore

 > One might argue that the use of
> firewalls couldn't be foreseen with IPv4. But at the time IPv6 was
> designed, it was already a reality.

So that means IPv6 was designed to inhibit the use of options, or 
designed to inhibit its own deployment.

Seems like the latter is coming to fruition.

Joe

v2.23.0 | Report a Bug | By Email