Re: [v6ops] Comments on draft-ietf-v6ops-ipv6-ehs-packet-drops-01
Fernando Gont <fgont@si6networks.com> Thu, 03 December 2020 00:38 UTC
Return-Path: <fgont@si6networks.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A01B3A02BB; Wed, 2 Dec 2020 16:38:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bWubQfGeA-jk; Wed, 2 Dec 2020 16:38:05 -0800 (PST)
Received: from fgont.go6lab.si (fgont.go6lab.si [IPv6:2001:67c:27e4::14]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CD5833A00F7; Wed, 2 Dec 2020 16:38:03 -0800 (PST)
Received: from [IPv6:2800:810:464:8164:9c91:27c0:253d:5241] (unknown [IPv6:2800:810:464:8164:9c91:27c0:253d:5241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id E3DE7283C03; Thu, 3 Dec 2020 00:37:58 +0000 (UTC)
To: Gorry Fairhurst <gorry@erg.abdn.ac.uk>, v6ops@ietf.org
Cc: fernando@gont.com.ar, Brian E Carpenter <brian.e.carpenter@gmail.com>, draft-ietf-v6ops-ipv6-ehs-packet-drops.authors@ietf.org
References: <d97ca0fd-776a-1525-50d1-3a62fd7edf5f@erg.abdn.ac.uk> <0c121812-44cf-119e-fd09-bb138ff789de@erg.abdn.ac.uk> <d1814cfd-d603-9cc0-f6ae-d37feafb62b8@si6networks.com> <d079c40a-79c7-cb6d-8938-1de64e80cb88@erg.abdn.ac.uk>
From: Fernando Gont <fgont@si6networks.com>
Message-ID: <676f329d-658b-4398-3b2e-4e8b835686de@si6networks.com>
Date: Wed, 02 Dec 2020 21:17:24 -0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.1
MIME-Version: 1.0
In-Reply-To: <d079c40a-79c7-cb6d-8938-1de64e80cb88@erg.abdn.ac.uk>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/guY67D4FYG-l55IBxY4RmYlJ10E>
Subject: Re: [v6ops] Comments on draft-ietf-v6ops-ipv6-ehs-packet-drops-01
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Dec 2020 00:38:09 -0000
Hi, Gorry, Thanks for your timely response! In-line.... On 2/12/20 16:33, Gorry Fairhurst wrote: [....|] >> >> In-line... >> >> On 1/12/20 13:30, Gorry Fairhurst wrote: >> [...] >>> >>> * I have some concerns that some of the choices of words could >>> (unintentionally) be taken as endorsing a best practice, which I >>> don't think the IETF would generally promote. This is more about >>> ensuring specific parts can not be quoted out of context. I did a >>> careful read and hope I identified most of these and propose >>> something that might be helpful (please see attached PDF - RTF is >>> identical). I think it would be good to clarify in a few places this >>> is the RFC8200 spec, since I have heard there could be new work to >>> update that. >> >> I don't mind doing that. However, isn't it implicit in all RFCs that >> they are referring to the current specifications (unless otherwise >> noted)? >> >> i.e., regardless of whether there is ongoing work, and whether one is >> aware about it, a spec refers to the IETF status at the time the spec >> is published (*). >> >> (*) Well, modulo RFC Ed processing times. >> >> >> In any case, IIRC, RFC8200 is the current state of affairs when it >> comes to EH processing, so I guess explicitly referencing RFC8200 >> wouldn't hurt. -- I'm CC'ing Brian, who may correct me if my "of the >> top o my head" assessment is not correct :-) >> > The above is all true - and I think it is simple to add the REF! I will apply the proposed ref. I just want to double-check that we're not leaving outside e.g. things like RFC7045, which I should double-check whether it's fully incorporated into RFC8200. Otherwise, just mentioning RFC8200 would be imprecise. >>> * On the measurement evidence: I have a slight concern that the >>> results might not cover the wide variety of use cases and you may >>> like to be more careful in the words you use to generalise these for >>> the "internet". I think we should be aware that in some scenarios an >>> EH might still be effectively used, where path can safely support this. >> >> We're targeting the general case here. As they say, "with sufficient >> thrust, pigs fly just fine". You can, of course, build a network where >> EHs can be used just fine. -- but what we're discussing is the general >> case. >> > Why? - as a transport guy, the only thing that matters is whether a > specific path supports them, the average case just tells me whether I > need a fallback mechanism to cope with a particular path not supporting;-) The evil comment would be that, as a transport guy, you don't control the path. Or, furthermore, there's no concept of "path" for a transport guy ;-) >> >> Some additional comments/questions based on the PDF you've attached: >> >>> However, common implementation limitations suggest >>> that EHs present a challenge for IPv6 packet routing equipment and >>> middle-boxes, and evidence exists that IPv6 packets with EHs have been >> >> Doesn't this imply that this is no longer the case? (i.e. your >> proposed change is "have been") >> >> > /have been/are/ ... if that makes better sense to you, they're > equivalent to me - you observe what has happens and you can predict what > is happening, you might now know the future. WHat I mean is that we're not referring to the occurence of some event in the past, but rather about something that is still the case. >>> If an IPv6 header chain is sufficiently long that its header exceeds >>> the packet look-up capacity of the router, then it would be dropped by >>> hardware that is unable to determine how it should be handled. >> >> This seems rather confusing. It's the router that drops the packet. >> > /hardware/router hardware/ Would the meaning be hanged if we just say "router"? > >>> 5.1. >>> Recirculation >>> Although TLV chains are amenable to iterative processing on >>> architectures that have packet look-up engines with deep inspection >>>>>> is this /that/ ? >> >> Not sure what you mean.... >> > I was suggesting using that in place of /which/... minor nit. Oops -- my bad! (And thanks for it, btw! For English-as-second language I remember studying "that vs. which"... and it seems I should recheck, as the RFC-Ed frequently corrects these for me :-( ) >>> As layer-4 port >>> information increases the entropy of the hash, it is normally highly >>> desirable to use it where possible. >>>>>> I don’t agree with that actually, - but maybe others think so, >>>>>> please check >>>>>> RFCs relating to ECMP or perhaps rephrase, something like: >>>>>> /Layer-4 port >>> information can increase the entropy of the hash, and is often >>> thought desirable to use it where it is available. >>> /? >> >> Your suggested change seems fine to me. That said, what would you >> employ for the hash if not the ports? >> > flow label? The thing is that you cannot rely on it. So, if you want entropy, your safe bet is to use the port numbers.... >>> We note that in the IPv6 world, flows are expected to be identified >>> by means of the IPv6 Flow Label [RFC6437]. Thus, ECMP and Hash-based >>> Load-Sharing is possible without the need to process the entire >>>>>> why /would be possible/ ... some networks do this, and many RFCs >>>>>> encourage this? >> >> Support for the FL is not widely deployed and implemented (see >> [Cunha-2020]) >> > Yes I looked at Cunha - it's just a slide deck - is there a paper that > can be read to check the measurement methodology and results? There's also a paper -- my apologies for not referencing it. I will check if it's online, and otherwise ask the author for permission to share it. > I hear others saying that it is now more often being set, ... so I'm > just urging caution here, because I am not sure v6OPS need to comment on > the results of this on-going work at this stage. For instance... what is > the chance that a router now observes a flow label set to non-zero? ... It's not only to have a non-zero FL, but also that the FL is set correctly -- e.g., some implementations used to employ one FL value during 3WHS, and another during the life of a connection. Thus, if you were using the FL for load-sharing, it would actually break things. FWIW, I wish the FL was widely and correctly implemented and deployed -- I'm just the messenger here. >>> Perhaps; >>> /When many IPv6 >>> implementations failed to set the Flow Label, many ECMP and Hash-based >>> Load-Sharing devices also did not include the Flow Label [Cunha-2020], >>> possibly as a result of issues that have been found >>> in host implementations and middle-boxes [Jaeggli-2018]./ >>> although it seems like >> >> The suggested change seems to imply that the situation has changed, >> but I believe it hasn't. [Cunha-2020] provides evidence in this >> respect. SO assuming that this is something from the past would be >> inaccurate. >> > Well.... we can debate this, if we need to, however: - i.e., I think > the existence of techniques that utilise ports is sufficient to justify > why the router wishes to traverse the header chain, and why extension > headers are problematic - that does not need to present anything about > what is good practice for ECMP without predjudice to deployment of > FL-based methods. What we mean here is: the reader might wonder "why don't you just use the FL? -- Because we can't". More of empirical evidence than prejudice. >>>>>> I suggest the section includes mention of the IETF recommendation, >>>>>> and there the path with “clearly...” should be at the end! >> >> Ok with moving the para "Clearly.." to the end. That said, could you >> elaborate on what IETF recommendation you're referring to? >> >>> Use of extension headers can result problematic for NIDS/IPS, since: >>>>> /may/can/ ... not necessary, but might as well use /can/ in this case? >> >> Doesn't "may" imply possibility here? >> > No. In many reader's eyes this is permissive ... do it would read are > permitted to. Any alternative wording that would convey "possibility" rather than "ability" or "permission"? >>> As a result, in order to increase the efficiency or effectiveness of >>> these systems, packets employing IPv6 extension headers can be >>>>>> /can/ or /have been/are being/ ... to follow the previous argument? >>> dropped at the network ingress point(s) of networks that deploy these >>> systems. >> >> (Must admit that since you're a native English speaker, I have a high >> probability of being wrong :-), but, anyway): >> >> Packets can be drop, whether with EHs or anything else (i.e., the >> contents of a packet does not affect the ability of a device dropping >> them -- at the end of the day, a device can drop *all* packets if it >> feels like). >> > :-) >> What we are meaning here is that dropping packets with EHs is indeed >> one option to increase the efficiency and effectiveness of these systems. > That sounds correct. Would modifying the text as phrased address your comment? >>> o Use of unknown extension headers can prevent an NIDS/IPS to >>> process layer-4 information >> >> I this case, I think both are fine: -- "can" as in ability, and "may" >> as in possibility >> > - but not may as in "are permitted to"... Would "could" be better to convey "posibility" rather than ability or permission? >>> When such devices are unable to obtain the >>> required information, they might simply resort to dropping the >>>>>> /may/might/ ? >> >> "might" reads as a possibly imaginary situation. What we are meaning >> is that some devices *do* this. >> > OK : then say that devices do this,... rather than they are permitted to. I'll tweak to: "Some of such devices, when unable to obtain the required information, simply resort to...". OK? >> >>> Some router implementations lack fine-grained filtering of IPv6 >>> extension headers. For example, an operator may want to drop packets >>> containing Routing Header Type 0 (RHT0) but may only be able to >>> filter on the extension header type (Routing Header). As a result, >>> the operator would end up enforcing a more coarse filtering policy >>> (e.g. "drop all packets containing a Routing Header" vs. "only drop >>> packets that contain a Routing Header Type 0"). >> >> The proposed change seems to change the meaning of the paragraph. >> i.e., these things *do* happen. >> > How about something like: > > Some router implementations do not have fine-grained filtering of IPv6 > extension headers. For example, an operator that wishes to drop packets > containing Routing Header Type 0 (RHT0), may only be able to > filter on the extension header type (Routing Header). This would > > result in an operator enforcing a more coarse filtering policy > (e.g. "drop all packets containing a Routing Header" vs. "only drop > packets that contain a Routing Header Type 0"). > > ??? Looks good to me! Thanks! >>> Additionally, implementation >>> inconsistencies in packet forwarding engines can result in evasion of >>> security controls [I-D.kampanakis-6man-ipv6-eh-parsing] [Atlasis2014] >>> [BH-EU-2014]. >> >> The original text said "...may result in evasion". It would seem to me >> that both are correct ("can" = ability, "may" = possibility)? >> Actually, the later implies the former? >> >> > /can/will/ or whatever or just /result in/ ? "often results in"? >> Same for this one: >> >>> Packets with attached IPv6 Extension Headers can impact performance >>> on routers that forward them. >> > Except in this case, I think the performance of some designs of router > are impacted when forwarding packets with IPv6 EH. Other than HbH, the performance impact generally results from looking up the L4 header. That said, upon re-read of your suggestion, it looks good to me. >>> [Gont-Chown-IEPG89] >>> Gont, F. and T. Chown, "A Small Update on the Use of IPv6 >>> Extension Headers", IEPG 89. London, UK. March 2, 2014, >>> <http://www.iepg.org/2014-03-02-ietf89/fgont-iepg-ietf89- >>> eh-update.pdf>. >>> [Gont-IEPG88] >>> Gont, F., "Fragmentation and Extension header Support in >>> the IPv6 Internet", IEPG 88. Vancouver, BC, Canada. >>> November 13, 2013, <http://www.iepg.org/2013-11-ietf88/ >>> fgont-iepg-ietf88-ipv6-frag-and-eh.pdf>. >>>>>> These don’t seem great presentations, and seem like they were >>>>>> mostly replaced by iepg-ietf90-ipv6-ehs-in-the-real-world-v2.0? >>>>>> I don’t know why these are useful as references? RC7872 also >>>>>> covers this? >> >> They are listed as they were part of the work that eventually resulted >> in RFC7872, and as an indication of for how long the problem has been >> looked into. At the time, we didn't even have tools to do the >> measurements. For example, the path6 tool I implemented, and the >> support in RIPE Atlas were triggered by these efforts. > I don't agree with that. Which part, specifically? :-) Well, I don't think there were tools available at the time. But if you know of any, I'd like to know! > They are actually cited in RFC7872 if taht is your reason, so that is already clear! That said, I don't mind removing these two references. They were including in this document at a time RFC7872 didn't exist -- i.e. we don't have any special motivation for including them. Thanks! Regards, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
- [v6ops] Comments on draft-ietf-v6ops-ipv6-ehs-pac… Gorry Fairhurst
- Re: [v6ops] Comments on draft-ietf-v6ops-ipv6-ehs… Fernando Gont
- Re: [v6ops] Comments on draft-ietf-v6ops-ipv6-ehs… Gorry Fairhurst
- Re: [v6ops] Comments on draft-ietf-v6ops-ipv6-ehs… Tom Herbert
- Re: [v6ops] Comments on draft-ietf-v6ops-ipv6-ehs… Brian E Carpenter
- Re: [v6ops] Comments on draft-ietf-v6ops-ipv6-ehs… Fernando Gont
- Re: [v6ops] Comments on draft-ietf-v6ops-ipv6-ehs… Fernando Gont
- Re: [v6ops] Comments on draft-ietf-v6ops-ipv6-ehs… Fernando Gont
- Re: [v6ops] Comments on draft-ietf-v6ops-ipv6-ehs… Brian E Carpenter
- Re: [v6ops] Comments on draft-ietf-v6ops-ipv6-ehs… Tom Herbert
- Re: [v6ops] Comments on draft-ietf-v6ops-ipv6-ehs… Fernando Gont
- Re: [v6ops] Comments on draft-ietf-v6ops-ipv6-ehs… Fernando Gont
- Re: [v6ops] Comments on draft-ietf-v6ops-ipv6-ehs… Gorry Fairhurst
- Re: [v6ops] Comments on draft-ietf-v6ops-ipv6-ehs… Fernando Gont
- Re: [v6ops] Comments on draft-ietf-v6ops-ipv6-ehs… Gorry Fairhurst
- Re: [v6ops] Comments on draft-ietf-v6ops-ipv6-ehs… Fernando Gont
- Re: [v6ops] Comments on draft-ietf-v6ops-ipv6-ehs… Tom Herbert
- [v6ops] Comments on draft-ietf-v6ops-ipv6-ehs-pac… Fred Baker
- Re: [v6ops] Comments on draft-ietf-v6ops-ipv6-ehs… Fernando Gont
- Re: [v6ops] Comments on draft-ietf-v6ops-ipv6-ehs… Fernando Gont
- Re: [v6ops] Comments on draft-ietf-v6ops-ipv6-ehs… tom petch