Re: [v6ops] [Last-Call] Tsvart last call review of draft-ietf-v6ops-ipv6-ehs-packet-drops-05

Fernando Gont <fernando.gont@edgeuno.com> Thu, 08 April 2021 15:13 UTC

Return-Path: <fernando.gont@edgeuno.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 82CC93A05F8; Thu, 8 Apr 2021 08:13:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=edgeuno.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gNuvLQSECE5m; Thu, 8 Apr 2021 08:13:42 -0700 (PDT)
Received: from NAM12-MW2-obe.outbound.protection.outlook.com (mail-mw2nam12on2105.outbound.protection.outlook.com [40.107.244.105]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8C9ED3A0597; Thu, 8 Apr 2021 08:13:42 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=B2gPquUSSJEnMmM2esGZ1+P9RGAFl2a+WpxEXc9S7YNUIXNzYcHgClw3QjzgevM6vOqUQU2CZ8o4u/XenU5H4OtK47VgAC/7NU1/IzESANke1hqBriSUKr8se4169zaTTehpUjiW6zGfTb6DUD7WwgHLr5jeopigepAb7jKZU08cDfgDrs0N2qt4JFpfI+sI4/7pE1y0eAaKK8+F+PRfH1H8o1Fi0+VSjWr+b0Xbut5Ied8zD197Je3Chr2PVoNzT55ec5oqzcSJUKjVANlSiP1toaKVCqpVLDUtfc2GvoMZzRWFtJSl+r/qQs6UHqbvI9mViaVvJTpnbQiQ0R97ow==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=z5iP+5AATXGwLnmA5KuybylASftD+CWiiOFkoDxvUjs=; b=YMTh6G3HkcOOq3zBCcTsG6IXY2EycMISX1EftDmdVaYolBDWa5O7ImwfilXhfmanRc7w16pPNL0pM/YtQPZYZRu7rSbzf6H3f7xiDWNrbxCRqY14IhHvjzL1HtSu00YS6AcNmyVlcQ7McLLveCRFyCiRErQcDvVnnDf8wmHTKfSSPPedIA6eAxJ9aLmbLsET4Ml2MTcYcSH+oPqk96tb20OuyLbBOBLKl7KHaaK4sP8thmxLW1rEkpWe5gKIg25eMmRuIvKYwym3DuHbFyIbE0K4xql4CMgp1EjizYOVOhmZ0yrVdiogPO6GtR9wE7yuE6o1u4A7F57TSDkyWJGmmQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=edgeuno.com; dmarc=pass action=none header.from=edgeuno.com; dkim=pass header.d=edgeuno.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=edgeuno.onmicrosoft.com; s=selector1-edgeuno-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=z5iP+5AATXGwLnmA5KuybylASftD+CWiiOFkoDxvUjs=; b=KY4l3pzmz6QsBylJEN5RJ2ScUr1O2gh0qG8nN/5mOFZTs4e9qwmkfVMLT61aDpvAHyAZe6FD94+Fxtg4+NoHz2maiSShLNQeQ3bOlv609sfP7qYLbHZrOty+D4dl+o5Q0gUZGlVBormeyQYV07P64KcQaTLth7FEu08XXHsQ8cs=
Received: from SJ0PR05MB7514.namprd05.prod.outlook.com (2603:10b6:a03:2eb::6) by BYAPR05MB5365.namprd05.prod.outlook.com (2603:10b6:a03:7e::31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4020.12; Thu, 8 Apr 2021 15:13:38 +0000
Received: from SJ0PR05MB7514.namprd05.prod.outlook.com ([fe80::817e:9f49:ec74:8106]) by SJ0PR05MB7514.namprd05.prod.outlook.com ([fe80::817e:9f49:ec74:8106%6]) with mapi id 15.20.4020.021; Thu, 8 Apr 2021 15:13:38 +0000
From: Fernando Gont <fernando.gont@edgeuno.com>
To: "salo@saloits.com" <salo@saloits.com>, "tom@herbertland.com" <tom@herbertland.com>
CC: "draft-ietf-v6ops-ipv6-ehs-packet-drops.all@ietf.org" <draft-ietf-v6ops-ipv6-ehs-packet-drops.all@ietf.org>, "v6ops@ietf.org" <v6ops@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "tsv-art@ietf.org" <tsv-art@ietf.org>
Thread-Topic: [v6ops] [Last-Call] Tsvart last call review of draft-ietf-v6ops-ipv6-ehs-packet-drops-05
Thread-Index: AQHXLIJvyhj1+hgwUUGOa6kqXcaGXaqqr0GAgAAHsoCAAAOGAA==
Date: Thu, 8 Apr 2021 15:13:38 +0000
Message-ID: <ad3e1b9e3dc22d8f57bdb0860b6fbb8d566cd893.camel@edgeuno.com>
References: <161366727749.10107.14514005068158901089@ietfa.amsl.com> <CALx6S34dMEEJ+OPUu_=FW1Y5AQuvAaHzBPEe448S7rfbMmHN_w@mail.gmail.com> <CEFDF511-9255-4913-840D-50CCBC2B7B17@gmail.com> <CALx6S36_w+zxyUt0DzQ9NKBs+SAPZDNhs_sqLBwi+qneOPSS5A@mail.gmail.com> <ef2bd4f5-3b1e-b88c-ec8f-dd9a2f9a60ba@si6networks.com> <CALx6S349X7fQR=9Dj+n5X7ovXsSjLYibv-C-+bL0nkWsYP5NGA@mail.gmail.com> <MN2PR11MB43668EDA6209CA6AF3BCC5EEB5759@MN2PR11MB4366.namprd11.prod.outlook.com> <CALx6S3447SJwdRPoG_BaXS=ihBe1xA84vxcCev1y2K4xqMYZaQ@mail.gmail.com> <a68c5a02-ad6b-1966-7fe4-678abf14af24@si6networks.com> <CALx6S36pLpF8+Y_8oDiO+UQAnXFt5STSaB5fJgjWp9jFEFv3-A@mail.gmail.com> <42039a4f-b65d-27ad-32a9-a26d0914ec0d@si6networks.com> <CALx6S352qOQD_gvU=Lnyy6U41irs6CPJPc=oNqXqX19JcveNOg@mail.gmail.com> <CALx6S37WDki4e6k9z_Fgf8JB3vOFeHfxkBCmDcryB0vkK5MnrA@mail.gmail.com> <018ce8cc-1db2-ad47-aebe-7b875331e106@gont.com.ar> <CALx6S37ddjxv_k0fUerXT9V08V1+=sH1heAdAoYDVVh427iuQw@mail.gmail.com> <eac57d7c-5514-3756-f553-0957a959f7c4@saloits.com> <CALx6S364LVounEHrODJvd=WHdtFkXWDWeTA9H2oTFFmO7oeOOA@mail.gmail.com>
In-Reply-To: <CALx6S364LVounEHrODJvd=WHdtFkXWDWeTA9H2oTFFmO7oeOOA@mail.gmail.com>
Accept-Language: es-AR, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: saloits.com; dkim=none (message not signed) header.d=none;saloits.com; dmarc=none action=none header.from=edgeuno.com;
x-originating-ip: [186.19.8.47]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 043ee726-4cc7-4450-d4ae-08d8faa0e326
x-ms-traffictypediagnostic: BYAPR05MB5365:
x-microsoft-antispam-prvs: <BYAPR05MB53654050D411B624C28B2351E5749@BYAPR05MB5365.namprd05.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: K0EjK5juzM53uzPzD950os+uu8lMmJa+kJcFDPqd5fUK58d/NoPHmqAWnQFPapK0nXzwzyVmK3y12+r1/sBDJRmqOKpU4TbKf0uKjQRA4s5DlktKWxsXBr8F8rh7Qs3WRjEZU0jcuc56k/GkexCKNq85K6ULKjE/5CxTAvS9GQ/7NROriFEhWspeLOnA3DBOorNz7nvQG66XkmGbWXF5t1C5RGpy606+QfXCYuPIQx/Y6X9RCQ4A3x756QxoqYXu00DKKWDEpQkwtN0x8gEOIhw7gnB2U2IXl+I1EkIGftXdwJ6naj3mHsuUBMYWC6JE0cAQFNj0xa4XrZ9q2d/I0mnKT/g6uW0ul5A9izud9pnRBu+l1eRkQmu+H45ohhIi7s5HJLp0l7H+7YeCi8UudW9+OV86Uekw6sadzlfsqzWxU+vveZCQbLNmPHgtT2B86ujKwYkn+x1bx6RfV7h+Mr8hRAwHPzEEDEa0A/RNVEnd00NpXq74BIGsdlEWOXx0Whxix5evxZD9AWjNoFZcs2xddOpnC8dhMdolVAhYR4B+WskLAoEe4aQfKRMoc9ntAj+/1dPGiFyfC9MXzaFIg166o3vYVdvO1KAkXLyQa9XgWkxSifAXksX0g/fbWgHU0nQhyaeOdaVlykJlm8q3TfIPkKvZLZyz4ibrzcBWBhuvUlB6EXh72I9Q+kmryw7+XfgQUAPAsjpMt8VcVLBQdqS/Nc+p48YuH4iO70Suw4iXyuJgbr22Ga09ef1PzNO/
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SJ0PR05MB7514.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFS:(366004)(136003)(376002)(346002)(39840400004)(396003)(6512007)(38100700001)(44832011)(4326008)(2906002)(71200400001)(5660300002)(966005)(66574015)(316002)(6486002)(86362001)(8676002)(53546011)(66476007)(66556008)(64756008)(26005)(110136005)(66946007)(66446008)(91956017)(478600001)(36756003)(83380400001)(76116006)(186003)(54906003)(2616005)(6506007)(8936002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: =?utf-8?B?ZXI4N0F3bWYwKzh5cENSbWhrSXcydUpZa2Z3b2lKcWJXUTlYV2lZRFFMN2xI?= =?utf-8?B?QktjSXQvaUZuU0dTZ3B4U0NtbjV5K3dLbVhsdm9hSGNpVmU5NEZPdDltcE9u?= =?utf-8?B?S2xkbjJjMTJqVXovRlNrYnlqZnZybStpOVM0cjJ3cjhMNG9QYWh1R0Q4d2hJ?= =?utf-8?B?WnZQYXlEb3ZaQjU5SEZqK0R0TjRENE0vWE1jRGNoMTM2cFNjTTFGaTZpZlpO?= =?utf-8?B?SFRONlhlUnJtWE5TUVAwVGdsVE0xTUUrN2ZhcGFyaTVkQmIxRzlFaWQ2Qmd3?= =?utf-8?B?YzJLcVArWDdhY21XZEluWFEyN05Ra040TUZhaFlOVDJxUFdsaWJGaFlsb2lV?= =?utf-8?B?K29OMGl2elhtSXdabVVRLy9tUzFvem9OYVd3M2hFVkpndjc5M0laRE4ya2Vp?= =?utf-8?B?aUxJd3h0Y01DSnVLb041dDloZmJKUjBSY2MwNWVHZnZqaGNxTjl1REN4WVpF?= =?utf-8?B?TjNiUEFSRTdoTVRRcDExS3FDNDVYajBJMFlZdjZNQ0pxemJTQ0tKM21RMnh3?= =?utf-8?B?RUphWHFhMmtGMVpJWjhjQ20xTllWMHgwOU8xOUJOc1ZzeDJhai9BRFJuWE9J?= =?utf-8?B?TktUcDd2TlVHTUhmbWFBb1EvMVNiRURpQWlPeUd6NDJwK1I0ay9oUzRuYWEr?= =?utf-8?B?YklFSHFRYTdLaVdJNWVoaVJCZVplZlZtclArSXVVSkhaUTIyUHVVTnlxK3k4?= =?utf-8?B?eGh6N0ZCNDdEYmhqOElVNlQ0NDNycHVjS2lYeTBQZ2EyN1JZbHg1SkdvNGtS?= =?utf-8?B?TzVqSjA0UGRJLzRPYzVZa0VGOVlRRGpaVnZKem1WVUNEOFFWVTNZNzZDYjRS?= =?utf-8?B?YUxvclA4Z0tGbGU2djFTTzV3akxSU2ZoQjVVaHRJK0NLZDg2M1ZNMmo5YXlQ?= =?utf-8?B?ZW9NalZMVFFrYi9vZ1FuTVN4aURXSmpSanZsd1pMeFo2TWxNK1RhSnp5MnBF?= =?utf-8?B?UjJyd1kwM0VDMEQvZFRvYXlTZzBzWlYweSt4S3NEYnRTOVFneEtWT2xTM282?= =?utf-8?B?Tjg3YUdQaWx5SEVmREdzWHhqakZRRVo2dkFoRkpub05RNmdZRmR1ak0rN1Jk?= =?utf-8?B?QTd2ZTg2VnMyUktBem1aVld6OHI3S0VhVkthQ2o4eHRtYkhiZGRSRytrUGNQ?= =?utf-8?B?cEVDSm5TNFhZSVN2UVN5VFhpamg5RmgvYThQVERwcEJBTWFBNU1HTE1HT25o?= =?utf-8?B?ZkFZSjg4NVJEamNwbkNmdXRsTDFERWtMeG5aM2lkWjdMMkJ3ODNKVytmeUFP?= =?utf-8?B?UUxJRHo3NGJrZzRLVWdXcy9WSmdVbGoxTVlLZ1VvdG5HVW95eXY4QzB5L3V2?= =?utf-8?B?R0tYM2pmQ3lvbnBJQ0oxZVZuRExnbFhxQ1NZeTNEd3RrZTJVNzB1cnNUWFlE?= =?utf-8?B?cnFQWGgzYTlLQ3RCc2tZUngzc2ZnQ0I2QXdVZ2hWTUNPNHdjbE93aUIrOU11?= =?utf-8?B?QnVJT2JvcktnajRUOEl2TmhuNjUySHpkMGVjSmplUDlOejhueFFENmgrd1Br?= =?utf-8?B?VjJjZGxHZEJIU0wweVBLaWs2SEVJSnl6aWI4MHZxbFMySGloT3FNMldTUEZv?= =?utf-8?B?V0RCS0p2QVdyL2tYSkhmWUJTYlJPUjhkOC9xNkgyT3VXbDgvSE51UE5Na21z?= =?utf-8?B?MWpoYlU3Z3c4R3ROQmNZNjBZeEsyZk4xTVJVRjZveDhTZkgrZGo0dlJNYVc4?= =?utf-8?B?RldzaGc5WGpvbHArNG5TaG80bThoWDl0SUd1bVptcmdZcVhjcFdLa0JqMzhi?= =?utf-8?Q?0RRr/kNnkG0L34yXVmYgYEJRDQOUttw6K4ytUNA?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <8FC7908788F414408073519B1C05DB7D@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: edgeuno.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SJ0PR05MB7514.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 043ee726-4cc7-4450-d4ae-08d8faa0e326
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Apr 2021 15:13:38.4683 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 20879dba-fabf-45da-8300-60b8ce560217
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: cVKeIV/i4E5QY6/Hr6EYjqzzOAzvYDTuLjchNMDhQKyJIV+2ZpcJzAPYbxhbUbWAZFw4IO1jm9KqIUQd/ZL1mu4T9841BdcNoMnVkitz4TE=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR05MB5365
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/XsEPxcZgzhRF7RNs7xqGew6_QZc>
Subject: Re: [v6ops] [Last-Call] Tsvart last call review of draft-ietf-v6ops-ipv6-ehs-packet-drops-05
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Apr 2021 15:13:48 -0000

Hi, Tom,

On Thu, 2021-04-08 at 08:00 -0700, Tom Herbert wrote:
> On Thu, Apr 8, 2021 at 7:33 AM Timothy J. Salo <salo@saloits.com>
> wrote:
> > On 4/8/2021 9:21 AM, Tom Herbert wrote:
> > > [...]
> > > Sure, tell me, as a host stack developer, what at reasonable
> > > minimum
> > > length is for an IP header chain and I'll fix the packets I'm
> > > sending
> > > so that the operators don't need to be bothered with this.
> > 
> > No one really knows.
> 
> That presumes there is no data, and that it is impossible to get the
> data. I don't believe that is true. For instance, RFC7872 does show
> that between 80-90% of eight byte Destination Options make it through
> the Internet. That's a pretty high percentage, so that suggests that
> a
> minimal recommendation for EH length could be at least eight.

You seem to keep misinterpreting things:

1) This document does not make recommendations.
If you want recommendations, please do submit a draft. (I will note
that RFC7112 at the time wanted to restrict the IPv6 header chain to
1280 bytes, and even *that* didn't fly. -- SO, good luck with that
project....) 

2) As noted by many, many times, the effect of e.g. EH length on
processing describes on so many factors (vendor, model, deployment,
etc.) that trying to come up with a "minimal recommendation" is simply
guesswork.

3) There's no reason to believe that packets that are currently let
through do not or could not cause issues.

4) And no, I don't think that you can expect an operator to make a
survey of every single device they use, and try to find out what's the
ipv6 header chain length that wouldn't screw the network, and work hard
to support it. As noted before, you're going to have a hard time
explaining your CEO or manager why you've decided to unnecessarily
accept risk that you do not need to accept. 

JUst as a data point, this was posted yesterday: 
https://blog.quarkslab.com/analysis-of-a-windows-ipv6-fragmentation-vulnerability-cve-2021-24086.html


> 
> > Moreover, there is no reason to believe that the
> > value won't change in the future.  Furthermore, this is well beyond
> > the
> > control of the IETF: it is driven by decisions made by router
> > vendors
> > and ISPs.
> > 
> The ADs can correct me if I'm wrong, but I believe it is within the
> scope of IETF to make recommendations and suggest best practices
> concerning the use of standard protocols and those recommendations
> can and should take operational data into account.

Indeed. But this document is not a recommendation, and was never meant
to.  Isn't the Disclaimer clear enough on this point?

Thanks,
-- 
Fernando Gont
Director of Information Security
EdgeUno, Inc.
PGP Fingerprint: DFBD 63E3 B248 AE79 C598 AF23 EBAE DA03 0644 1531