IETF Logo Mail Archive

Re: [v6ops] Operational Implications of IPv6 Packets with Extension Headers

Gyan Mishra <hayabusagsm@gmail.com> Sat, 19 September 2020 04:06 UTC

Return-Path: <hayabusagsm@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD0203A12D5 for <v6ops@ietfa.amsl.com>; Fri, 18 Sep 2020 21:06:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.087
X-Spam-Level:
X-Spam-Status: No, score=-2.087 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UiqR1bpihA32 for <v6ops@ietfa.amsl.com>; Fri, 18 Sep 2020 21:06:35 -0700 (PDT)
Received: from mail-vs1-xe2a.google.com (mail-vs1-xe2a.google.com [IPv6:2607:f8b0:4864:20::e2a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AFC143A12D4 for <v6ops@ietf.org>; Fri, 18 Sep 2020 21:06:35 -0700 (PDT)
Received: by mail-vs1-xe2a.google.com with SMTP id y194so4830874vsc.4 for <v6ops@ietf.org>; Fri, 18 Sep 2020 21:06:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ExgE9Wn6lDPNnzY0rwHCcvJ6PRi+ILIXYlhMsUvv3ZY=; b=OljIG92dV2jw5iwQhF2MBBEEcz/PRl/8T+r85QZ6124VHtURFLKTwDB9mXoKBtCLKH mWCpKxH+yY1RxHjpve+xppBeoh/TqF/v0w9cGpsktuKiSwZeKcvBu17nl2lS/RBnbOm+ pQ+Da5OS9Tnvf8xvHmVBo5MB4zBOsNXQ4yM5WZKA+8NbLs6WgTbkAGnzsE2EAw9b94ht OODBO/lgy5HdtRdhaUbrF033IvNeAtlnS2cTZEWTlW+RXtGyLtw6VHzgPWI5WjZOb4MB 7khozWh8x8wr8g5on6XlV0LmGmJdEu/s3dTyHxUNKCUDHj2LR7gx1Nz3ftDUxxw8wvac VKQQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ExgE9Wn6lDPNnzY0rwHCcvJ6PRi+ILIXYlhMsUvv3ZY=; b=Bt53iYB4HLFR1CA1uAZ7zorwVjxygspEvO0G0gnWaR9fAOaI0waMnbJbyK214i0nN8 kAKJ1BDuuN8YzPRRR8juT0bjxzpYj8SQ5bjfInGnDTEuimLY5cjs22V3y36XMfRoduMz 48U51z1YjP08O1SjkxvOGzLTCOFUp6k7rNnrpqqgRblc0RRCkD7SHN2WFf3ah+M05bPe 5gCbSX5O4AZJJke7/w/0gYQE3linSZcwh/FxeKgaed/xarmY95p89LWOtOoBeSTvHaiZ /4MmRPydegyInfy6FNWKwXU36aSBViECnXBNdc8LiJWcSmK3f+g6nud2x/MBXvOOG5cb 6xqw==
X-Gm-Message-State: AOAM531Ax3YH/GnksAbi3y0Hp48C3wb7wWTpFAcdr03Hflg8PTHSbPGD IPDM1KDn5Kk58PIraY6WtKZv+zijAajWgpX3bo8=
X-Google-Smtp-Source: ABdhPJwAyzWGUO6tIWUQOxZt2KeL2ZKf5ap0Ktg4zL1QvlOnSW8eoGstuQe2Z9ttE2I6++3lYGNvMbvjWGtACunBQ/U=
X-Received: by 2002:a67:e248:: with SMTP id w8mr13152889vse.33.1600488394661; Fri, 18 Sep 2020 21:06:34 -0700 (PDT)
MIME-Version: 1.0
References: <d8d59ce07f7f4031a545ff6e24fdbb88@huawei.com> <20200729084351.GG2485@Space.Net> <32BAEAEA-7352-4BAE-ADA8-FDA2395D5732@employees.org> <a6ed89a8-c12e-b8d2-c720-5cc02e127a68@si6networks.com> <FCBD1043-A0B2-435A-9AB9-0FCE3566C769@employees.org> <4573db3f-ac8d-3103-1979-e803ae40f117@si6networks.com> <DEB1318E-0E5B-4093-A691-8E1FD35B9F50@strayalpha.com> <A197EF3A-1E1E-40F1-BB50-68469E3C8E63@delong.com> <44481FC7-6E3F-4D5A-A5A9-A338C1836EA1@strayalpha.com> <2ad804a2-e714-6256-3afa-4d4a92fd6d3c@si6networks.com> <9c026e30-149b-172f-0953-456fb2d1e715@gmail.com> <AM7PR07MB6248A43FCBBB5D34AA2DA9AAA0230@AM7PR07MB6248.eurprd07.prod.outlook.com> <7bc1ea18-01c5-54f7-a65d-a53722a4d3c9@si6networks.com> <AM7PR07MB624842F364784EF3AC5B0647A0200@AM7PR07MB6248.eurprd07.prod.outlook.com> <591f5a76-b375-7391-ad4b-bf14ad215536@si6networks.com> <AM7PR07MB6248051BB6A4DCCD8545C730A0200@AM7PR07MB6248.eurprd07.prod.outlook.com> <e66b4848-634d-0905-6bc4-7cd76dd62ea8@si6networks.com>
In-Reply-To: <e66b4848-634d-0905-6bc4-7cd76dd62ea8@si6networks.com>
From: Gyan Mishra <hayabusagsm@gmail.com>
Date: Sat, 19 Sep 2020 00:06:23 -0400
Message-ID: <CABNhwV2zG0-71gMU615uD8m5WCvWXNwNNwguV8DvAN5AX_UEkw@mail.gmail.com>
To: Fernando Gont <fgont@si6networks.com>
Cc: IPv6 Operations <v6ops@ietf.org>, tom petch <ietfc@btconnect.com>
Content-Type: multipart/alternative; boundary="0000000000003b256d05afa2bec6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/bzGYBDrnxMMuaDRuW3rtX8Eyhxk>
Subject: Re: [v6ops] Operational Implications of IPv6 Packets with Extension Headers
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Sep 2020 04:06:38 -0000

Hi Fernando

In this draft can we talk add point about the catch 22 situation described
in RFC 7045 excerpt below bottom of introduction:

I think this issue is critical to the overall issue with processing of EHs
and operators filtering EHs in some cases unnecessarily.

https://tools.ietf.org/html/rfc7045

   A contributory factor to this problem is that because extension
   headers are numbered out of the existing IP Protocol Number space,
   there is no collected list of them.  For this reason, it is hard for
   an implementor to quickly identify the full set of standard extension
   headers.  An implementor who consults only RFC 2460
<https://tools.ietf.org/html/rfc2460> will miss all
   extension headers defined subsequently.

   This combination of circumstances creates a "Catch-22" situation
   [Heller <https://tools.ietf.org/html/rfc7045#ref-Heller>] for the
deployment of any newly standardised extension
   header except for local use.  It cannot be widely deployed because
   existing middleboxes will drop it on many paths through the Internet.
   However, most middleboxes will not be updated to allow the new header
   to pass until it has been proved safe and useful on the open
   Internet, which is impossible until the middleboxes have been
   updated.



The uniform TLV format now defined for extension headers [RFC6564
<https://tools.ietf.org/html/rfc6564>]
   will improve the situation, but only for future extensions.  Some
   tricky and potentially malicious cases will be avoided by forbidding
   very long chains of extension headers that need to be fragmented
   [HEADER-CHAIN
<https://tools.ietf.org/html/rfc7045#ref-HEADER-CHAIN>].  This will
alleviate concerns that stateless
   firewalls cannot locate a complete header chain as required by the
   present document.

   However, these changes are insufficient to correct the underlying
   problem.  The present document clarifies that the above requirement
   from RFC 2460 <https://tools.ietf.org/html/rfc2460> applies to all
types of nodes that forward IPv6 packets
   and to all extension headers standardised now and in the future.  It
   also requests that IANA create a subsidiary registry that clearly
   identifies extension header types and updates RFC 2780
<https://tools.ietf.org/html/rfc2780> accordingly.
   Fundamental changes to the IPv6 extension header architecture are out
   of scope for this document.



On Wed, Sep 16, 2020 at 5:44 AM Fernando Gont <fgont@si6networks.com> wrote:

> Hi, Tom,
>
>
>
> On 15/9/20 13:08, tom petch wrote:
>
> > From: Fernando Gont <fgont@si6networks.com> Sent: 15 September 2020
>
> > 12:24
>
> >
>
> > Hi, Tom,
>
> >
>
> > On 15/9/20 06:05, tom petch wrote: [...]
>
> >>
>
> >> I wouldn't mind writing a Section that sits between the current
>
> >> Sections 2 and 3 with more background on extension headers, if you
>
> >> think that would be of value.
>
> >>
>
> >> <tp> Yes please.  One page or two pages max, summarising why they
>
> >> were thought a good idea, the different types and their uses, how
>
> >> widely used they are  and with references;  RFC8200 may be
>
> >> Normative but it takes a while to appear and that after RFC2460!
>
>
>
> Ok.  I will craft text and send it to the list for review before
>
> incorporating it.
>
>
>
>
>
>
>
> > An intro to EHs -- and e.g., how the structure compares to the IPv4
>
> > packet structure is simply and doable. OTOH, what you suggest might
>
> > now. :-)
>
> >
>
> > e.g.,Not sure one can tell how widely used they are. Also, getting
>
> > into enumerating EHs will result in the relevant section becoming
>
> > stale soon, since there seems to be quite a bit of development in
>
> > this area.
>
> >
>
> > <tp> My sense is of the middle part of the I-D, the technical detail,
>
> > is floating in mid-air, lacking an introduction, lacking a
>
> > conclusion. and as such will only convince those who are already
>
> > convinced.
>
>
>
> FWIW, at lesast from my pov, we don't really want to convince people (of
>
> doing this or that), but rather want to document the reasons for which
>
> people may drop packets with EHs. i.e. documenting that such packets may
>
> be dropped for very valid rational reasons.
>
>
>
>
>
> > I have to read between the lines to divine that there is a connection
>
> > between fragmentation and EH, between length of packet header and EH,
>
> > between security and EH and so on.  By not making the connection
>
> > explicit, I think that you will lose your target audience.
>
>
>
> Fair enough. I'm always keen to improving the document, so thanks for
>
> the suggestion!
>
>
>
> Regards,
>
> --
>
> Fernando Gont
>
> SI6 Networks
>
> e-mail: fgont@si6networks.com
>
> PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
>
>
>
>
>
>
>
>
>
> _______________________________________________
>
> v6ops mailing list
>
> v6ops@ietf.org
>
> https://www.ietf.org/mailman/listinfo/v6ops
>
> --

<http://www.verizon.com/>

*Gyan Mishra*

*Network Solutions A**rchitect *



*M 301 502-134713101 Columbia Pike *Silver Spring, MD

v2.23.0 | Report a Bug | By Email