IETF Logo Mail Archive

Re: [v6ops] Operational Implications of IPv6 Packets with Extension Headers - Load Balancer

Fernando Gont <fgont@si6networks.com> Tue, 28 July 2020 20:20 UTC

Return-Path: <fgont@si6networks.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D1453A0B45; Tue, 28 Jul 2020 13:20:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5IKlftrBSrQF; Tue, 28 Jul 2020 13:20:21 -0700 (PDT)
Received: from fgont.go6lab.si (fgont.go6lab.si [91.239.96.14]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E6D003A0B3D; Tue, 28 Jul 2020 13:20:18 -0700 (PDT)
Received: from [IPv6:2800:810:464:1f7:8ca5:7f63:e5ff:a34] (unknown [IPv6:2800:810:464:1f7:8ca5:7f63:e5ff:a34]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id F259C280C63; Tue, 28 Jul 2020 20:20:11 +0000 (UTC)
To: Tom Herbert <tom@herbertland.com>, Vasilenko Eduard <vasilenko.eduard@huawei.com>
Cc: IPv6 Operations <v6ops@ietf.org>, "draft-gont-v6ops-ipv6-ehs-packet-drops@ietf.org" <draft-gont-v6ops-ipv6-ehs-packet-drops@ietf.org>
References: <b380408712364589a45ab9f39ab6f764@huawei.com> <CALx6S35rkA5nVPm6C6MToUdHKFmcAabGfMN9prTiUfWr+GKwCA@mail.gmail.com> <6439ceb9d73b435d950e73a7a2d68fc7@huawei.com> <CALx6S37ih8VabN2PHvQ3ELDvV2DoiUqnd28LRxr4ofj6zUq3Jw@mail.gmail.com> <947a50398cbb4bbcad85462a69d7dd45@huawei.com> <CALx6S35FX-SNoNFhd2JXFio9B0vGVyXGkeob=7x+dn6u4qOaVw@mail.gmail.com>
From: Fernando Gont <fgont@si6networks.com>
Message-ID: <3bc2b2a1-4f52-6ee0-87de-0a3198186f07@si6networks.com>
Date: Tue, 28 Jul 2020 16:47:19 -0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.1
MIME-Version: 1.0
In-Reply-To: <CALx6S35FX-SNoNFhd2JXFio9B0vGVyXGkeob=7x+dn6u4qOaVw@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/W8WF9jk25nk3hBm4mmqlvYpq29Y>
Subject: Re: [v6ops] Operational Implications of IPv6 Packets with Extension Headers - Load Balancer
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jul 2020 20:20:23 -0000

On 28/7/20 16:18, Tom Herbert wrote:
> On Tue, Jul 28, 2020 at 1:36 AM Vasilenko Eduard
> <vasilenko.eduard@huawei.com> wrote:
>>
>> Hi Tom,
>> Is APNIC a reliable source for you?
>> https://blog.apnic.net/2018/01/11/ipv6-flow-label-misuse-hashing/
>> RIPE has replicated it here: https://labs.ripe.net/Members/joel_jaeggli/ipv6-flow-label-misuse-in-hashing
>> "Cases have been observed where devices that connect to hashed endpoints do not in fact honour this behaviour. By in large, this flow label changing behaviour has been traced to IPv6 supporting CPE/firewalls, which change the flow label between the initial syn and the ack."
> 
> The rationale for this is: "The use of the flow label as a hash
> element for any stateful application requires that the flow label
> remain unchanged over the life of the flow.". This is really directed
> towards stateful intermediate nodes like stateful firewalls. 

IIRC, FreeBSD used to change the Flow Label during the TCP 3WHS vs data 
transfer phase...




>> They have disputable conclusion: "Avoid using the flow label as a hash component".
> 
> This guidance could just as easily be "Avoid fragmentation", "Avoid
> using any protocols other than UDP or TCP", "Avoid using extension
> headers", "Avoid ICMP", "Avoid using encapsulation", "Avoid using
> encryptions" as any of these can break some meddling device somewhere
> such that packet delivery becomes unreliable on the Internet. More
> generally, the guidance could simply be "Avoid doing anything that
> disrupts the status quo"!

Unfortunately, if one is in the "business" of getting data through, one 
would rather stick to whatever works.

Thanks,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

v2.23.0 | Report a Bug | By Email