[v6ops] AD review of draft-ietf-v6ops-ipv6-ehs-packet-drops-03

"Rob Wilton (rwilton)" <rwilton@cisco.com> Mon, 01 February 2021 12:10 UTC

Return-Path: <rwilton@cisco.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87EA43A10B7; Mon, 1 Feb 2021 04:10:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.62
X-Spam-Level:
X-Spam-Status: No, score=-9.62 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=IIu8/0N6; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=PbZe7hZw
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wRTQet4H-jzj; Mon, 1 Feb 2021 04:10:37 -0800 (PST)
Received: from alln-iport-4.cisco.com (alln-iport-4.cisco.com [173.37.142.91]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CBAB83A10B5; Mon, 1 Feb 2021 04:10:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4107; q=dns/txt; s=iport; t=1612181436; x=1613391036; h=from:to:cc:subject:date:message-id: content-transfer-encoding:mime-version; bh=YDE27r4jwECruqDLsWidBDFxZs4yoVo46BIe/HXLW78=; b=IIu8/0N6mKU+PTMFzTjxTX4uU+9y+Q1vrLtsb3JxHBTkHDt0vk5Jg7bw LGl4OCCP94BfnaaqbBZkf/RpuuesDrz1CJaEbdgd0TVbN9IBC5NGOuAhs Mi48JPgNN7RayK2d/Ybl1Iad+pRZThOcB/KNIS+V83WsDpPRXUDN7pRZH k=;
X-IPAS-Result: =?us-ascii?q?A0ANBQB67xdgkIoNJK1igQmDIiMugVcyMQqHfgOOC5kcg?= =?us-ascii?q?lMDVAsBAQENAQEtAgQBAYFVgnUCgXgCJTgTAgMBAQEDAgMBAQEBBQEBAQIBB?= =?us-ascii?q?gQUAQEBAQEBhjgBDIYhEwYBATcBEQE+QiYBBA4Ngx6CVgMuAQOlKgKKJXSBA?= =?us-ascii?q?TODBQEBBoUcGIISCYE4gneKbRuBQT+BEUOBWIVRK4NLgiyDLgQiEG4CAXwYG?= =?us-ascii?q?BY5j3gmpzWBEwqCdpwfgy+KPYVqjz2UKpxphH4CBAIEBQIOAQEGgW0hLIEtc?= =?us-ascii?q?BUagwpQFwINjioRCYNOilh0NwIGCgEBAwl8iFOBNQExXwEB?=
IronPort-PHdr: =?us-ascii?q?9a23=3AT/+6gR15J6pGRJhksmDT+zVfbzU7u7jyIg8e44?= =?us-ascii?q?YmjLQLaKm44pD+JxWGv6dsgUPHG4LB5KEMh+nXtvXmXmoNqdaEvWsZeZNBHx?= =?us-ascii?q?kClY0NngMmDcLEbC+zLPPjYyEgWsgXUlhj8iK6PFRbXsHkaA6arni79zVHHB?= =?us-ascii?q?L5OEJ8Lfj0HYiHicOx2qiy9pTfbh8OiiC6ZOZ5LQ69qkPascxFjA=3D=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.79,392,1602547200"; d="scan'208";a="638500435"
Received: from alln-core-5.cisco.com ([173.36.13.138]) by alln-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 01 Feb 2021 12:10:32 +0000
Received: from XCH-RCD-002.cisco.com (xch-rcd-002.cisco.com [173.37.102.12]) by alln-core-5.cisco.com (8.15.2/8.15.2) with ESMTPS id 111CAWwd024035 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 1 Feb 2021 12:10:32 GMT
Received: from xhs-rcd-001.cisco.com (173.37.227.246) by XCH-RCD-002.cisco.com (173.37.102.12) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 1 Feb 2021 06:10:32 -0600
Received: from xhs-rcd-002.cisco.com (173.37.227.247) by xhs-rcd-001.cisco.com (173.37.227.246) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 1 Feb 2021 06:10:32 -0600
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-002.cisco.com (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Mon, 1 Feb 2021 06:10:32 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=d3EO5aUlVX62Xt0U5C06eJLNeI83uh7fvke++poJ9LnFgewu1R7PSgHPKyaVQsCXb+nmssmkhvyd4mNFsoAPQ6tcPfJT5Q2iie1dEvzIkmGcUaGmTfuEYbd7WN3MGws2l9NM6q90MlmhIOKPQrpUndLd28U+ROiDnt4ymWg3KJoDL3IX0tO9KysKeSKzsm4qkj0L+2WuQpHpV2agmobyGLlxyGfGG/JGGoSYlfZc9yzauNsI6HTTyNJQCt9xssuJYGSHiP3aoySLMyi4evCLSRFPC1tOV/dmjX1/yCJ63pxryDOVFikDRtGKFtuALyFcGP7yg9gcFhnLnhUVCqp99Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kDp2cJiIv1j4MBglxOVUvvv7IPZ8HxCOedeKTZuyPtg=; b=DcoxizcHKBo+O1OAnIgVYku50P6RrhpyC3wziML6W/SjKG8uB+OzNwgY8/4k4LIF2ilE432YjhRGM3bYLn+SIG4oV5BXsDGoRzKMvolCRgcfUHgr0VBDpHjxZQhDX0nqIKGMncavYpIicaBeNAF9OOdVRKKA3SLEnhFQms3jx5a6w0vSln3gmzxZ32fctEvOM+6IaDRWA+7gJoqmWFZ/qGzk8aryt/ybF9YZqBSL5fCQ9zboyK2JJ73nwXkeky13qE1ifdfWHirousb25+41UTcqAzZRKgZs2WwO7IJ+1NFid4cBb/nilh6PBsrQ8JHtz0dGt2yGCypdNWUwZJEZVA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kDp2cJiIv1j4MBglxOVUvvv7IPZ8HxCOedeKTZuyPtg=; b=PbZe7hZwITSgQgTab2KyfjGyAAXdZaeNOF6pYETBAljTSYCISFyHnv8Kg1bsvhzVRRT+Ss+9kfNFSFp3a5XM/0mYFnZ8s4I2o3yFSdj97QuGNhEh9cC5HEwRLNfyH4iU+K+H3bQay4pp08ff6LioNM2aMj5xMcyGVnnTmke4PlA=
Received: from MN2PR11MB4366.namprd11.prod.outlook.com (2603:10b6:208:190::17) by MN2PR11MB4383.namprd11.prod.outlook.com (2603:10b6:208:17b::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3805.25; Mon, 1 Feb 2021 12:10:31 +0000
Received: from MN2PR11MB4366.namprd11.prod.outlook.com ([fe80::3c82:1fa3:2b18:3afb]) by MN2PR11MB4366.namprd11.prod.outlook.com ([fe80::3c82:1fa3:2b18:3afb%6]) with mapi id 15.20.3805.024; Mon, 1 Feb 2021 12:10:31 +0000
From: "Rob Wilton (rwilton)" <rwilton@cisco.com>
To: "draft-ietf-v6ops-ipv6-ehs-packet-drops@ietf.org" <draft-ietf-v6ops-ipv6-ehs-packet-drops@ietf.org>
CC: IPv6 Operations <v6ops@ietf.org>, "v6ops-chairs@ietf.org" <v6ops-chairs@ietf.org>
Thread-Topic: AD review of draft-ietf-v6ops-ipv6-ehs-packet-drops-03
Thread-Index: Adb4kltNVkZMz8ksRDy1+vwnXP4QHQ==
Date: Mon, 1 Feb 2021 12:10:30 +0000
Message-ID: <MN2PR11MB43664F04EC91D542CA9D2E26B5B69@MN2PR11MB4366.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [82.12.233.180]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: c869cead-4f73-47c7-09e5-08d8c6aa5ed6
x-ms-traffictypediagnostic: MN2PR11MB4383:
x-microsoft-antispam-prvs: <MN2PR11MB43833B76F3B9BA70FAD7574FB5B69@MN2PR11MB4383.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 91Rjl1hhFdznIagxXnfOS2kLpqR1pA+dlYRBrTpD5Qw4Rs6R9dYN6FYmCncRBpsBrdBksltrKZrS2M6lDaYy3ZInLBNPFn5Ph4kf9qQexdKKCHRZiVgy0MKcHv++h7QXyrZR5f05SXA6w+pWQnYLGnNbyty3cGnIIvqFSe4Hyr1QoAC1OdCX2jbneosD1CH7eef7QuL7/U/6M2NSLxXZqDnouDPGrczIcZB35DlYhgW9MeOxkg+Iw0ShnbQA+UDkjdPSsUao/YbRahdh1I+UmG10w3nTJ5JN50vT/V3yQv5OBH1Gj8FQhNj/sa9PoGF/S2J1PnrJnyENXDqlDlIZ/8X5gBY+ndeXMzzte95TNt5G/Std2I138nvsaXpwkI0b0t8sAYdzQBzddiEht2WwwNQ9u0FbDfRyKTxcgveprlZlmXRFfvxKiKkc0IJ8ivkmZW23fm8AgddfV2b3HuJEL2D9tkZpCY8rdBvetc7Gskmc40nzG8Iu0qZ3WM4Rh83g203SRlUBkkvMiJnxCbVD9g==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR11MB4366.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(366004)(136003)(39860400002)(376002)(346002)(396003)(86362001)(66946007)(64756008)(83380400001)(66556008)(54906003)(66476007)(66574015)(2906002)(478600001)(52536014)(66446008)(8936002)(450100002)(186003)(33656002)(4326008)(55016002)(316002)(5660300002)(8676002)(9686003)(26005)(6916009)(6506007)(76116006)(71200400001)(7696005); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: =?us-ascii?Q?FIbee/zl5Y4lkD8UPayI9bCrARlVPk3WuGjEf0BAcX5Iv73+MWDMSkMjWCP7?= =?us-ascii?Q?sKYUbAUvMzBE+Phi313EDIC8vdJ/l4nn24f+NKt+k1ewO8ykzoc3IjlBnc4Q?= =?us-ascii?Q?EeSyibD9IPL2Qnbj2Ave20G0qquqtfZJ6Z0vyKRtNfXD/KmNM/XkKbNr9xy1?= =?us-ascii?Q?W6zaC6I9faD3M+Lu/2/nABsq54jIi6ONWKacZ5uMGlY3D4nNreuGP7pnUujE?= =?us-ascii?Q?2q6WK2h5QQP4qFEXvHdcYVLdQNSo3h0v08j5wEY+z71tvt26ocRY47ZW0TAS?= =?us-ascii?Q?Cycub32ffAmjLvkX2L0Bv0+sf2t+JzyByOtF0Vh1DEJNoQ3NmYQgiEo9SnX0?= =?us-ascii?Q?E16w7sjKkwwdPegYSZdEkNacOKRgkAZZoICJ3MFXekU7w0vBsR48p+Qi+R9U?= =?us-ascii?Q?X+z7FfJFcSg/Rw9L6A3qRJy3r51/vtvnsVymw0syCRl32GJ84/WAAzslassh?= =?us-ascii?Q?vyw18+lZkdsoqFvDDax7YME3IzMWhny08boFw94VGQXVhlzD7vlN7kaV7yi6?= =?us-ascii?Q?yGtFKCp0h0KmsIWTYLbob6TG5+JgygjzyS9sAJC/zqxZVU/h1d4fnuwGC6xU?= =?us-ascii?Q?sYllWYyYDsf8qThePVBA0tngA0jsT/wWMyd/dvMv+76PkGkGk/eglQBkJkyU?= =?us-ascii?Q?Y9ICUUBhe92ZSJe9imQyNPaV/lOchF3IssxcMogB2BpZ/HDjuCnXx9PBuMJV?= =?us-ascii?Q?FO5YRKcUhC2JTNYbFa6t7oma9f5hezjqgRzDMogBhgIO6s1aNtgAzUf7uWUK?= =?us-ascii?Q?f22gAE7UA35k26+P5eYFADOfAQ8bVvOAsf9G/5Tp6hbgnMVr60e+zJHtghiR?= =?us-ascii?Q?dVCqMoa9SpJ7mEx6q9xDNPvE4BbA2PkNhK10QLDR06hwsGYptIRQadH2/r5+?= =?us-ascii?Q?hbSrCczyG3i1WvpyGY+0W1UIHsRt7Z3d5YY0plQ27SvKZ0d85lUA5aknafFp?= =?us-ascii?Q?aoKt7GCruN8Xx3oLEUx4NzLALB6M8R8SO3yprt/GpC7vymwXifk+cGUpbjty?= =?us-ascii?Q?/E5YPIfE6+UcAOMGe0iKPajlDRqeeqmDA1cxS8plDWduOGwMZBGijucQZTXR?= =?us-ascii?Q?s7rDj8ge?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR11MB4366.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c869cead-4f73-47c7-09e5-08d8c6aa5ed6
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Feb 2021 12:10:30.9641 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 7yHTqk3oYqeYhE9erpGTcW5tQU1wd6KhSYDe3byaM5HKWKhaLh9e1JDSdBr8+dXkqkVdSC6/VmU4VFYUHBIRFw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB4383
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.12, xch-rcd-002.cisco.com
X-Outbound-Node: alln-core-5.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/iqtpqSIRolTWMbMVIpm-gcoo8qM>
Subject: [v6ops] AD review of draft-ietf-v6ops-ipv6-ehs-packet-drops-03
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Feb 2021 12:10:39 -0000

Hi,

Here is my AD review of draft-ietf-v6ops-ipv6-ehs-packet-drops-03.

Overall, I found the document pleasant to read and informative, so thank you for writing this up.  I have a few minor comments for the authors to consider:

5.  Packet Forwarding Engine Constraints

   NOTE:
      For example, contemporary high-end routers can use up to 192 bytes
      of header (Cisco ASR9000 Typhoon) or 384 bytes of header (Juniper
      MX Trio).
      
Please can you remove the vendors/products here and report the information more generally.  I suspect that the limitation depends on the switch ASIC, and is somewhat likely to vary by linecard, even for the same platform.


   NOTE:
      Section 6 discusses some of the reasons for which a contemporary
      router might need to access layer-4 information to make a
      forwarding decision.

This is purely editorial, but I would probably have just tacked this on to the previous paragraph rather than have it as a separate "NOTE:"      

   Historically, some packet forwarding engines punted packets of this
   form to the control plane for more in-depth analysis, but this is
   unfeasible on most contemporary router architectures as a result of
   the vast difference between the hardware forwarding capacity of the
   router and processing capacity of the control plane and the size of
   the management link which connects the control plane to the
   forwarding plane. 

I'm not sure whether this is worth clarifying, but I think that this is simplifying contemporary forwarding architectures somewhat:  Platforms may have a separate software forwarding plane that is distinct both from the hardware forwarding plane and the control plane.  E.g., IPv4 options might be processed in a software forwarding plane rather than in the hardware or the control plane.  However, the key point that the CPU and network bandwidth to the CPU are limited resources is entirely valid.

   If a hardware forwarding engine on a contemporary router cannot make
   a forwarding decision about a packet because critical information is
   not sent to the look-up engine, then the router will normally drop
   the packet. 

   If an IPv6 header chain is sufficiently long that it exceeds the
   packet look-up capacity of the router, the router could resort to
   dropping the packet, as a result of being unable to determine how the
   packet should be handled. 
   
These two paragraphs feel like they are saying the same thing.  Perhaps they should be amalgamated?

5.1.  Recirculation

I was surprised by this section, although I'm not disputing it.  I've heard of forwarding architectures recirculating tunnelled packets, but I've not heard of this recirculation for processing each and every IPv6 extension headers.



6.  Requirement to Process Layer-3/layer-4 information in Intermediate
    Systems
    
For the last 2 sub-sections, this section also covers why extension headers are problematic, but not for the other sections.  Hence wondering if this is structured in the best way?  E.g., would it be better if the implications for sections 6.4 and 6.5 were discussed in section 7 instead?

In addition, should the title of this section (6) indicate that it also covers application layer information?


6.5

   As a result, whether because of the challenges represented by
   extension headers or because the use of IPv6 extension headers has
   not been explicitly allowed, packets employing IPv6 extension headers
   are often dropped by network firewalls. 
   
I found this paragraph slightly harder to parse that perhaps needs be, and
possibly it might be easier reversed:

   As a result, packets employing IPv6 extension headers are often dropped
   by network firewalls, either because of the challenges represented by
   extension headers or because the use of IPv6 extension headers has not
   been explicitly allowed.


Nits:      
  maybe -> may be
  "e.g. " => "e.g., "

Regards,
Rob