IETF Logo Mail Archive

Re: [v6ops] Limiting the size of the IPv6 header chain (draft-ietf-6man-oversized-header-chain)

Fernando Gont <fgont@si6networks.com> Wed, 12 June 2013 20:23 UTC

Return-Path: <fgont@si6networks.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5DDB611E80F0; Wed, 12 Jun 2013 13:23:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l9zioF0K8RZC; Wed, 12 Jun 2013 13:23:06 -0700 (PDT)
Received: from web01.jbserver.net (web01.jbserver.net [IPv6:2a00:d10:2000:e::3]) by ietfa.amsl.com (Postfix) with ESMTP id 8927011E80BA; Wed, 12 Jun 2013 13:23:05 -0700 (PDT)
Received: from [2001:5c0:1400:a::323] by web01.jbserver.net with esmtpsa (TLSv1:DHE-RSA-CAMELLIA256-SHA:256) (Exim 4.80.1) (envelope-from <fgont@si6networks.com>) id 1UmrZN-0001Ya-Qq; Wed, 12 Jun 2013 22:23:01 +0200
Message-ID: <51B8D8A4.6030002@si6networks.com>
Date: Wed, 12 Jun 2013 22:23:00 +0200
From: Fernando Gont <fgont@si6networks.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130510 Thunderbird/17.0.6
MIME-Version: 1.0
To: Robert Elz <kre@munnari.OZ.AU>
References: <20130612174908.GT2504@Space.Net> <51B6876A.9020202@si6networks.com> <F13710AB-0E74-45D1-81A6-1F22D01D5403@steffann.nl> <20130612003800.0374235C2E8B@drugs.dv.isc.org> <51B867C8.8010100@si6networks.com> <51B8AAA7.3020909@isi.edu> <10707.1371062690@perseus.noi.kre.to>
In-Reply-To: <10707.1371062690@perseus.noi.kre.to>
X-Enigmail-Version: 1.4.6
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: IPv6 Operations <v6ops@ietf.org>, "6man@ietf.org" <6man@ietf.org>, Internet Area <int-area@ietf.org>
Subject: Re: [v6ops] Limiting the size of the IPv6 header chain (draft-ietf-6man-oversized-header-chain)
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Jun 2013 20:23:07 -0000

On 06/12/2013 08:44 PM, Robert Elz wrote:
>   | We're not talking ivory tower theoretical routers.  We're talking about
>   | devices that can stand the heat out there, like "be able to apply different
>   | rate limiting classes to incoming BGP SYNs from trusted networks, and to
>   | ICMP packets from the world".  This MUST be done by the hardware, and it
>   | MUST be able to look at *Layer 4* information.
> 
> If that's the issue, then the routers should just be treating any packet with
> a frag header like dirt.  

That's not what the discussion is about. We're talking about long IPv6
header chains... which might not contain a fragment header (e.g., simply
the fixed IPv6 header, plus one long (or a few) dest options header, and
then the real payload).


> That's what they deserve.  Lowest sched priority,
> and most likely to be dropped.   That's easy to accomplish in hardware (well
> as easy as anything else that involves looking down header chains) 
> and perfectly acceptable - everyone knows that if one sends fragmented packets
> performance goes out the window.   Perfectly acceptable result, and no
> changes at all to v6 specs are needed to get to that.

It is not quite acceptable if the specs say one thing, and the real
world says another.



> On the other hand, if the real issue is firewalls, then there really should be
> no issue at all - firewalls already need to be able to reassemble packet
> chains,

There are stateless filters, too.



> Lastly, this comment caught my eye ...
> 
> fgont@si6networks.com said:
>   | It doesn't change how fragmentation works. It just clarifies a corner case
>   | which was allowed by the standard, but is not employed in practice, and none
>   | expected to happen. 
> 
> Huh?   Is that really claimimng that no-one ever thought that the frag
> header would be anywhere but last in the header chain?   That would be
> absurd. 

I have no idea what you're talking about. The current version of
draft-ietf-6man-oversized-header-chain essentially bans packets such as
thos in page 5 of
<http://tools.ietf.org/html/draft-ietf-v6ops-ra-guard-implementation-07>

Thanks,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

v2.23.0 | Report a Bug | By Email