Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-ehs-packet-drops-01.txt
Fernando Gont <fgont@si6networks.com> Wed, 14 October 2020 17:02 UTC
Return-Path: <fgont@si6networks.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C13983A08C4; Wed, 14 Oct 2020 10:02:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.112
X-Spam-Level:
X-Spam-Status: No, score=-2.112 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.213, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ihh4lGH354Db; Wed, 14 Oct 2020 10:02:16 -0700 (PDT)
Received: from fgont.go6lab.si (fgont.go6lab.si [IPv6:2001:67c:27e4::14]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 61D3F3A08CA; Wed, 14 Oct 2020 10:02:16 -0700 (PDT)
Received: from [IPv6:2800:810:464:b9c:4d77:be33:d267:ab18] (unknown [IPv6:2800:810:464:b9c:4d77:be33:d267:ab18]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id 981092800FF; Wed, 14 Oct 2020 17:02:12 +0000 (UTC)
To: "Dale W. Carder" <dwcarder@es.net>, Fernando Gont <fernando@gont.com.ar>
Cc: v6ops@ietf.org, draft-ietf-v6ops-ipv6-ehs-packet-drops.authors@ietf.org
References: <160267848680.30465.9254381369345717221@ietfa.amsl.com> <6f1419fa-19ef-173a-5095-35fa51cc4ed2@gont.com.ar> <20201014161946.GA65211@dwc-desktop.local>
From: Fernando Gont <fgont@si6networks.com>
Message-ID: <9ef70e2f-f2af-de92-2cac-face385c097c@si6networks.com>
Date: Wed, 14 Oct 2020 13:39:21 -0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.1
MIME-Version: 1.0
In-Reply-To: <20201014161946.GA65211@dwc-desktop.local>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/d-bACbRfmWFCSlUMzlWM1gg48zc>
Subject: Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-ehs-packet-drops-01.txt
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Oct 2020 17:02:20 -0000
Hello, Dale, Thanks a lot for your timely feedback! In-line.... On 14/10/20 13:19, Dale W. Carder wrote: > Thus spake Fernando Gont (fernando@gont.com.ar) on Wed, Oct 14, 2020 at 09:37:38AM -0300: >> The rev is available at: >> https://tools.ietf.org/html/draft-ietf-v6ops-ipv6-ehs-packet-drops-01 > > In section 7.4, is it worth referencing covert channel risk from rfc6437's > section 6.1? Section 7.4 is about the security implications of *EHs*... so that would be off-topic, so to speak... > In section 7.1, I thought there was a class of devices (routers) where if > configured with a packet filter / acl that when unable to find the upper > protocol information buried past the size of the lookup engine would actually > forward traffic even if the policy was to deny. I could have sworn I saw > this topic fly by on the v6ops list, but I can't find it (thus I don't want > to mistakenly name and shame). I do recall reports of that. I guess we can simply note it without a reference? (I don't mind the reference myself, but some of my co-authors might differ :-) ) > I am not sure if I agree with the last paragraph of 6.1 which opines on > the low adoption of rfc6437-style flow label hash entropy. We don't argue low-entropy, but issues with the Flow Label implementation. See e.g.: https://blog.apnic.net/2018/01/11/ipv6-flow-label-misuse-hashing/ > I would > expect that the current low adoption in ecmp implementations is a > chicken/egg problem. If you have a product that needs to hash and you are > not confident there is enough adoption in host stacks, you are still forced > to hunt for entropy from the upper-protocol protocols. Otherwise all the > legacy host traffic with the flow label set to 0 risks getting hashed > entirely to one side or face reordering. We're just stating that there's marginal usage of the Flow Label, which is what the work by Cunha et al seems to indicate. As to the possible consequences, part might be LBs lagging behind host implementations. But issues in the Flow Label implementation might have also discouraged its use. That said, the important info that Section 6.1 is meant to convey is that there still seems to be marginal use of the FL. And also note that issues have been found in FL implementations. -- i.e., we're not trying to infer why there's marginal use of the FL. If you think this warrants some tweaks in the text, please do let us know. Thanks! Regards, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
- [v6ops] I-D Action: draft-ietf-v6ops-ipv6-ehs-pac… internet-drafts
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-ehs… Fernando Gont
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-ehs… Dale W. Carder
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-ehs… Fernando Gont
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-ehs… Brian E Carpenter
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-ehs… Dale W. Carder
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-ehs… Fernando Gont
- Re: [v6ops] I-D Action: draft-ietf-v6ops-ipv6-ehs… Fernando Gont