Re: [v6ops] draft-taylor-v6ops-fragdrop WGLC
Havard Eidnes <he@uninett.no> Mon, 19 August 2013 08:47 UTC
Return-Path: <he@uninett.no>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C8B711E820C for <v6ops@ietfa.amsl.com>; Mon, 19 Aug 2013 01:47:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aHslU7Wb7X+I for <v6ops@ietfa.amsl.com>; Mon, 19 Aug 2013 01:47:07 -0700 (PDT)
Received: from smistad.uninett.no (smistad.uninett.no [IPv6:2001:700:1:0:21e:4fff:feed:ced]) by ietfa.amsl.com (Postfix) with ESMTP id 9B3C811E8212 for <v6ops@ietf.org>; Mon, 19 Aug 2013 01:47:06 -0700 (PDT)
Received: from smistad.uninett.no (smistad.uninett.no [158.38.62.77]) by smistad.uninett.no (Postfix) with ESMTP id 0BA253D0B3 for <v6ops@ietf.org>; Mon, 19 Aug 2013 10:47:05 +0200 (CEST)
Date: Mon, 19 Aug 2013 10:47:04 +0200
Message-Id: <20130819.104704.119047008.he@uninett.no>
To: v6ops@ietf.org
From: Havard Eidnes <he@uninett.no>
In-Reply-To: <201308181800.r7II06mv003294@irp-view13.cisco.com>
References: <201308181800.r7II06mv003294@irp-view13.cisco.com>
X-Mailer: Mew version 6.5 on Emacs 23.4 / Mule 6.0 (HANACHIRUSATO)
Mime-Version: 1.0
Content-Type: Text/Plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Subject: Re: [v6ops] draft-taylor-v6ops-fragdrop WGLC
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Aug 2013 08:47:14 -0000
Some perhaps non-nit comments (I sent the nits privately): Under section 2.1, Possible Causes: Some filtering and dropping of fragments is known to be done for hardware, performance, or topological considerations. That's quite vague, I think it could stand with some more details. The entire section 2.1.1. "Stateful inspection" is about problems with resource exhaustion in middleboxes or end-system firewalls. Implementations which willingly devote unlimited resources to fragment reassembly display a severe lack robustness, and IMHO should not be used as justification for why we can't use fragments. Yes, I'm suggesting that one can forego the specified 60s fragmentation reassembly timeout in the case of resource shortage of a fixed pool. Under section 2.1.2. Stateless ACLs: Stateless load balancing schemes may hash fragmented datagrams from the same flow to different paths because the 5-tuple may be available on only the initial fragment. While rehashing has the possibility of reordering packets in ISP cores it is not disastrous. However, in front of a stateful inspection device, load balancer tier, or anycast service instance, where headers other than the L3 header -- for example, the L4 header, interface index (for traffic already rehashed onto different paths), DS fields -- are considered as part of the hash, rehashing may result in the fragments being delivered to different end-systems AFAIK the use of a 5-tuple which includes the L4 header to compute a hash to make a forwarding decisions among otherwise equal paths is an implementation optimization only, it is not something which is explicitly prescribed by our standards. Therefore, I'll claim that applying this logic to fragments, causing packet delivery to different hosts for initial and subsequent fragments (e.g. in the case of a load balancer) is an incorrectly applied optimization, also known as a bug. Under section 2.1.3. Performance considerations Leaving aside these incentives towards fragment dropping, other considerations may weigh on the operator's mind. One example cited on the NANOG list was that of a router where fragment processing was done by the control plane processor rather than in the forwarding plane hardware, with a consequent hit on performance. Is this about traffic directed at the one of the local addresses of the router? "Of course", one needs to be careful about letting fragments from anywhere from passing into the data-plane / control- plane bottleneck (but you could conceivably allow fragments from a small controllable subset, e.g. your iBGP neighbors etc.) The impact of having limited ability to send fragments from any source to the routers should be minimal, if noticeable at all. Or is this about traffic passing through the router? If so, doesn't that discussion belong under section 2.1.2? In section 2.1.4. Other considerations you say: It is common practice [RFC6192] to recommend that control-plane ACLs protecting routers and network devices be configured to drop all fragments. Well, there exists an informational RFC [6192] which contains an example policy and also some detailed discussion about handling of fragments. I don't think it in sum says what is said here, though. Best regards, - HÃ¥vard
- Re: [v6ops] draft-taylor-v6ops-fragdrop WGLC George Michaelson
- Re: [v6ops] draft-taylor-v6ops-fragdrop WGLC Havard Eidnes
- [v6ops] draft-taylor-v6ops-fragdrop WGLC Fred Baker
- Re: [v6ops] draft-taylor-v6ops-fragdrop WGLC Jason Fesler
- Re: [v6ops] draft-taylor-v6ops-fragdrop WGLC Sheng Jiang
- Re: [v6ops] draft-taylor-v6ops-fragdrop WGLC joel jaeggli
- Re: [v6ops] draft-taylor-v6ops-fragdrop WGLC Joe Touch
- Re: [v6ops] draft-taylor-v6ops-fragdrop WGLC Fred Baker (fred)
- Re: [v6ops] draft-taylor-v6ops-fragdrop WGLC Brian E Carpenter
- Re: [v6ops] draft-taylor-v6ops-fragdrop WGLC Joe Touch
- Re: [v6ops] draft-taylor-v6ops-fragdrop WGLC Fred Baker (fred)
- Re: [v6ops] draft-taylor-v6ops-fragdrop WGLC Joe Touch
- Re: [v6ops] draft-taylor-v6ops-fragdrop WGLC George Michaelson
- Re: [v6ops] draft-taylor-v6ops-fragdrop WGLC George, Wes
- [v6ops] draft-taylor-v6ops-fragdrop WGLC Fred Baker
- Re: [v6ops] draft-taylor-v6ops-fragdrop WGLC joel jaeggli
- Re: [v6ops] draft-taylor-v6ops-fragdrop WGLC Mark Andrews
- Re: [v6ops] draft-taylor-v6ops-fragdrop WGLC C. M. Heard
- Re: [v6ops] draft-taylor-v6ops-fragdrop WGLC Randy Bush