IETF Logo Mail Archive

Re: [v6ops] Operational Implications of IPv6 Packets with Extension Headers - Load Balancer

Tom Herbert <tom@herbertland.com> Tue, 28 July 2020 21:38 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A40F3A090B for <v6ops@ietfa.amsl.com>; Tue, 28 Jul 2020 14:38:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id usWxM5Wd3w5s for <v6ops@ietfa.amsl.com>; Tue, 28 Jul 2020 14:38:52 -0700 (PDT)
Received: from mail-ed1-x52a.google.com (mail-ed1-x52a.google.com [IPv6:2a00:1450:4864:20::52a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 59C0A3A090D for <v6ops@ietf.org>; Tue, 28 Jul 2020 14:38:52 -0700 (PDT)
Received: by mail-ed1-x52a.google.com with SMTP id z17so15873344edr.9 for <v6ops@ietf.org>; Tue, 28 Jul 2020 14:38:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=Qfl2RgJzXOOjstkCpBepRkCWDrGxNZbOa7G2MPWWn5A=; b=yI8DTcgVHBlab3K8oGftOyx37jvnjhISPzD/anzkCR79Hld7TlPeLou9RLXdAqLLd1 ZyfM6zQ7ft7ZYxuR1Aysqzb3UsLKlgqK3KOEG8JmMNVuGy3FufWGHWcyC0mFQLYdlDj9 em3KAPve6rrQSyQ8L5IZmeKcU2Qu0BvADnZYsDDAuUD7jWcechGVk+SMwqBT+S95MGO2 XN9+EdxhCYwjTMs4jn8ZKSJipxrLtcsVb/n/Vla2XeXexv2B7kcWi0Crxm+Cr3PbxXH9 RX+5q4wAYeg5ZO5xeFqmkHBdTRFwcW0HgNG9rBpiB/PkZs8ZoRbpvKaVBeIciDU0AkwQ PUqw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=Qfl2RgJzXOOjstkCpBepRkCWDrGxNZbOa7G2MPWWn5A=; b=rOxlDg//xorUSV5Ry99xFT2oQkfSDuaVxUq7A98vtNpCFytkAV9rVbU84RdNack7nV Drlj1RlSTRbqG54OJJME7qFGryw6yCKuVSY/wTd1CSxv/OfEUBiOi2RvGXv6qHh65w4Z BRfWjVW32NY/ARIvN04kuTEiCtoUP2IZakFLgCUk3yimfs5u/ESApFt3nAeaYM1kC4PN UvpHMhmq+33PZkxglZdRrXU18Z2HLjLxdUJCssQXw4FgQ2Z3F4mo0dWxovDxGwy9kmYF 4BHoRcc8DB6MCMeVDO0SOvFInBz3B9TPLImth9mdGCsnRdeGreqBvMr40wURnpAJmO5q O2ng==
X-Gm-Message-State: AOAM5320XzL1I5MTU68tppkdaICSmX+ChJsa1bgBFz+i6MZaJ5Prim6T XwK7rob1KadXcyeemO/bVds5qXFiRGA5au3qyVbj1w==
X-Google-Smtp-Source: ABdhPJydNEX7jzdH9uP2DmVNFGs69qaNtN3q2be4UV7GERPuAs/9CSA3q9t+D2n0FmzBmxXZQeH57oWhaKSUArmsKV0=
X-Received: by 2002:aa7:c2c6:: with SMTP id m6mr13226134edp.118.1595972330371; Tue, 28 Jul 2020 14:38:50 -0700 (PDT)
MIME-Version: 1.0
References: <b380408712364589a45ab9f39ab6f764@huawei.com> <CALx6S35rkA5nVPm6C6MToUdHKFmcAabGfMN9prTiUfWr+GKwCA@mail.gmail.com> <6439ceb9d73b435d950e73a7a2d68fc7@huawei.com> <CALx6S37ih8VabN2PHvQ3ELDvV2DoiUqnd28LRxr4ofj6zUq3Jw@mail.gmail.com> <947a50398cbb4bbcad85462a69d7dd45@huawei.com> <CALx6S35FX-SNoNFhd2JXFio9B0vGVyXGkeob=7x+dn6u4qOaVw@mail.gmail.com> <3bc2b2a1-4f52-6ee0-87de-0a3198186f07@si6networks.com>
In-Reply-To: <3bc2b2a1-4f52-6ee0-87de-0a3198186f07@si6networks.com>
From: Tom Herbert <tom@herbertland.com>
Date: Tue, 28 Jul 2020 14:38:38 -0700
Message-ID: <CALx6S361eBrf+hNPGNk6StjPfASRdvpKXM1Qo-fkKwCFppVurg@mail.gmail.com>
To: Fernando Gont <fgont@si6networks.com>
Cc: Vasilenko Eduard <vasilenko.eduard@huawei.com>, IPv6 Operations <v6ops@ietf.org>, "draft-gont-v6ops-ipv6-ehs-packet-drops@ietf.org" <draft-gont-v6ops-ipv6-ehs-packet-drops@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/_7IQlgHY9UetwCWUkxILX_M6iE8>
Subject: Re: [v6ops] Operational Implications of IPv6 Packets with Extension Headers - Load Balancer
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jul 2020 21:38:55 -0000

On Tue, Jul 28, 2020 at 1:20 PM Fernando Gont <fgont@si6networks.com> wrote:
>
> On 28/7/20 16:18, Tom Herbert wrote:
> > On Tue, Jul 28, 2020 at 1:36 AM Vasilenko Eduard
> > <vasilenko.eduard@huawei.com> wrote:
> >>
> >> Hi Tom,
> >> Is APNIC a reliable source for you?
> >> https://blog.apnic.net/2018/01/11/ipv6-flow-label-misuse-hashing/
> >> RIPE has replicated it here: https://labs.ripe.net/Members/joel_jaeggli/ipv6-flow-label-misuse-in-hashing
> >> "Cases have been observed where devices that connect to hashed endpoints do not in fact honour this behaviour. By in large, this flow label changing behaviour has been traced to IPv6 supporting CPE/firewalls, which change the flow label between the initial syn and the ack."
> >
> > The rationale for this is: "The use of the flow label as a hash
> > element for any stateful application requires that the flow label
> > remain unchanged over the life of the flow.". This is really directed
> > towards stateful intermediate nodes like stateful firewalls.
>
> IIRC, FreeBSD used to change the Flow Label during the TCP 3WHS vs data
> transfer phase...
>
Fernando,

We had an issue in Linux where the Flow Label can change when closing.
This was causing bad interaction with FW. We treated this as a bug and
fixed it promptly and now flow labels should be consistent for the
lifetime of the flow. Software implementation can have much faster
turnaround time to fix issues and I am still hoping, perhaps naively,
that with the emergence of SDN and programmable datapaths in devices
we can start to get that ability in other network devices and start to
address some long standing issues of protocol non-conformance.

>
>
>
> >> They have disputable conclusion: "Avoid using the flow label as a hash component".
> >
> > This guidance could just as easily be "Avoid fragmentation", "Avoid
> > using any protocols other than UDP or TCP", "Avoid using extension
> > headers", "Avoid ICMP", "Avoid using encapsulation", "Avoid using
> > encryptions" as any of these can break some meddling device somewhere
> > such that packet delivery becomes unreliable on the Internet. More
> > generally, the guidance could simply be "Avoid doing anything that
> > disrupts the status quo"!
>
> Unfortunately, if one is in the "business" of getting data through, one
> would rather stick to whatever works.
>
Yep, this has driven host implementations to support the least common
denominator in protocols. The only general workaround of protocol
ossification to date is encrypting as much of the packet as possible
like in QUIC, but when we do that networks visibility is reduced as is
the opportunities for hosts and network to work in concert to solve
users problems.

Tom

> Thanks,
> --
> Fernando Gont
> SI6 Networks
> e-mail: fgont@si6networks.com
> PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
>
>
>
>

v2.23.0 | Report a Bug | By Email