IETF Logo Mail Archive

Re: [v6ops] Operational Implications of IPv6 Packets with Extension Headers - Load Balancer

Vasilenko Eduard <vasilenko.eduard@huawei.com> Tue, 28 July 2020 08:37 UTC

Return-Path: <vasilenko.eduard@huawei.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D9543A08C0; Tue, 28 Jul 2020 01:37:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9V4E9HSmqXQI; Tue, 28 Jul 2020 01:37:06 -0700 (PDT)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 82D8B3A08D7; Tue, 28 Jul 2020 01:37:00 -0700 (PDT)
Received: from lhreml711-chm.china.huawei.com (unknown [172.18.7.107]) by Forcepoint Email with ESMTP id 1D348444BD46870F8F5F; Tue, 28 Jul 2020 09:36:55 +0100 (IST)
Received: from msceml703-chm.china.huawei.com (10.219.141.161) by lhreml711-chm.china.huawei.com (10.201.108.62) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1913.5; Tue, 28 Jul 2020 09:36:54 +0100
Received: from msceml703-chm.china.huawei.com (10.219.141.161) by msceml703-chm.china.huawei.com (10.219.141.161) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1913.5; Tue, 28 Jul 2020 11:36:54 +0300
Received: from msceml703-chm.china.huawei.com ([10.219.141.161]) by msceml703-chm.china.huawei.com ([10.219.141.161]) with mapi id 15.01.1913.007; Tue, 28 Jul 2020 11:36:54 +0300
From: Vasilenko Eduard <vasilenko.eduard@huawei.com>
To: Tom Herbert <tom@herbertland.com>
CC: Fernando Gont <fgont@si6networks.com>, IPv6 Operations <v6ops@ietf.org>, "draft-gont-v6ops-ipv6-ehs-packet-drops@ietf.org" <draft-gont-v6ops-ipv6-ehs-packet-drops@ietf.org>
Thread-Topic: [v6ops] Operational Implications of IPv6 Packets with Extension Headers - Load Balancer
Thread-Index: AQHWZCBNgvrnr0hITbeSprlQeXLX06kbuR9A///jMoCAAQipcA==
Date: Tue, 28 Jul 2020 08:36:53 +0000
Message-ID: <947a50398cbb4bbcad85462a69d7dd45@huawei.com>
References: <b380408712364589a45ab9f39ab6f764@huawei.com> <CALx6S35rkA5nVPm6C6MToUdHKFmcAabGfMN9prTiUfWr+GKwCA@mail.gmail.com> <6439ceb9d73b435d950e73a7a2d68fc7@huawei.com> <CALx6S37ih8VabN2PHvQ3ELDvV2DoiUqnd28LRxr4ofj6zUq3Jw@mail.gmail.com>
In-Reply-To: <CALx6S37ih8VabN2PHvQ3ELDvV2DoiUqnd28LRxr4ofj6zUq3Jw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.47.207.38]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/iyRVzFvn5kmd4XIXJX-MizcdtSw>
Subject: Re: [v6ops] Operational Implications of IPv6 Packets with Extension Headers - Load Balancer
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jul 2020 08:37:09 -0000

Hi Tom,
Is APNIC a reliable source for you?
https://blog.apnic.net/2018/01/11/ipv6-flow-label-misuse-hashing/
RIPE has replicated it here: https://labs.ripe.net/Members/joel_jaeggli/ipv6-flow-label-misuse-in-hashing
"Cases have been observed where devices that connect to hashed endpoints do not in fact honour this behaviour. By in large, this flow label changing behaviour has been traced to IPv6 supporting CPE/firewalls, which change the flow label between the initial syn and the ack."
They have disputable conclusion: "Avoid using the flow label as a hash component".

Additional corner case: https://github.com/pypa/warehouse/issues/5454

Eduard
-----Original Message-----
From: Tom Herbert [mailto:tom@herbertland.com] 
Sent: 27 июля 2020 г. 22:24
To: Vasilenko Eduard <vasilenko.eduard@huawei.com>
Cc: Fernando Gont <fgont@si6networks.com>; IPv6 Operations <v6ops@ietf.org>; draft-gont-v6ops-ipv6-ehs-packet-drops@ietf.org
Subject: Re: [v6ops] Operational Implications of IPv6 Packets with Extension Headers - Load Balancer

On Mon, Jul 27, 2020 at 11:05 AM Vasilenko Eduard <vasilenko.eduard@huawei.com> wrote:
>
> Hi Tom,
> I believe that risk still exist that some application would no use flow label properly.

Exactly which applications are you concerned about?

> Hence, it is better on LB to deep dive into UDP/TCP. More predictable/reliable result.

You seem to be assuming a very limited traffic profile that consists only of plain UDP/TCP packets. Any use case that deviates from that then breaks your LB (i.e. encapsulation, tunneled encryption, SCTP, IPSec, etc.). Flow label is in all IPv6 packets and is mostly set properly for the vast majority of packets on the Internet and processing it is completely independent of the protocols, so when taking the full scope of the problem into account it is actually more generic and more predictable/reliable.

Tom

> Eduard
> -----Original Message-----
> From: Tom Herbert [mailto:tom@herbertland.com]
> Sent: 27 июля 2020 г. 17:15
> To: Vasilenko Eduard <vasilenko.eduard@huawei.com>
> Cc: Fernando Gont <fgont@si6networks.com>; IPv6 Operations 
> <v6ops@ietf.org>; draft-gont-v6ops-ipv6-ehs-packet-drops@ietf.org
> Subject: Re: [v6ops] Operational Implications of IPv6 Packets with 
> Extension Headers - Load Balancer
>
> On Mon, Jul 27, 2020 at 2:08 AM Vasilenko Eduard <vasilenko.eduard@huawei.com> wrote:
> >
> > Hi Fernando,
> > Hence again, following the logic of this draft (the level of detalization that you have given to 5.1) - may be you need additional section 5.1.x: Load Balancer have to look into TCP/UDP ports. Moreover, it could not trust "Flow label" - it is not reliable practice for LB.
>
> Eduard,
>
> What exactly does "not reliable practice for LB" mean.? If this means that the flow label might change during the flow's lifetime then I will point out that UDP is equally unreliable for that reason (i.e.
> the UDP ports for a QUIC connection can change during the connection's lifetime). For that matter, a TCP header might be encrypted or in an encapsulation that the LB doesn't understand so the LB can't access the TCP ports at all-- in the this case the flow label is actually more reliable than TCP since it's never encrypted and is purposely designed to be consumed by intermediate nodes without the need for expensive DPI.
>
> Tom
> > Or alternatively you could say something about LB in section 5.1.2, 
> > but because it is a little special case - may be better to have 
> > separate 5.1.x
> >
> > Eduard
> > -----Original Message-----
> > From: v6ops [mailto:v6ops-bounces@ietf.org] On Behalf Of Fernando 
> > Gont
> > Sent: 26 июля 2020 г. 8:46
> > To: IPv6 Operations <v6ops@ietf.org>
> > Cc: draft-gont-v6ops-ipv6-ehs-packet-drops@ietf.org
> > Subject: [v6ops] Operational Implications of IPv6 Packets with 
> > Extension Headers (Fwd: New Version Notification for
> > draft-gont-v6ops-ipv6-ehs-packet-drops-04.txt)
> >
> > Folks,
> >
> > We have posted a rev of our IETF I-D "Operational Implications of IPv6 Packets with Extension Headers".
> >
> > The I-D is available at:
> > https://www.ietf.org/internet-drafts/draft-gont-v6ops-ipv6-ehs-packe
> > t-
> > drops-04.txt
> >
> > Your feedback will be appreciated.
> >
> > Thanks!
> >
> > Cheers,
> > Fernando
> >
> >
> >
> >
> > -------- Forwarded Message --------
> > Subject: New Version Notification for 
> > draft-gont-v6ops-ipv6-ehs-packet-drops-04.txt
> > Date: Sat, 25 Jul 2020 22:28:50 -0700
> > From: internet-drafts@ietf.org
> > To: Fernando Gont <fgont@si6networks.com>, Gert Doering 
> > <gert@space.net>, Geoff Huston <gih@apnic.net>, Warren Kumari 
> > <warren@kumari.net>, Nick Hilliard <nick@inex.ie>
> >
> >
> > A new version of I-D, draft-gont-v6ops-ipv6-ehs-packet-drops-04.txt
> > has been successfully submitted by Fernando Gont and posted to the IETF repository.
> >
> > Name:           draft-gont-v6ops-ipv6-ehs-packet-drops
> > Revision:       04
> > Title:          Operational Implications of IPv6 Packets with Extension Headers
> > Document date:  2020-07-25
> > Group:          Individual Submission
> > Pages:          15
> > URL:
> > https://www.ietf.org/internet-drafts/draft-gont-v6ops-ipv6-ehs-packe
> > t-
> > drops-04.txt
> > Status:
> > https://datatracker.ietf.org/doc/draft-gont-v6ops-ipv6-ehs-packet-dr
> > op
> > s/
> > Htmlized:
> > https://tools.ietf.org/html/draft-gont-v6ops-ipv6-ehs-packet-drops-0
> > 4
> > Htmlized:
> > https://datatracker.ietf.org/doc/html/draft-gont-v6ops-ipv6-ehs-pack
> > et
> > -drops
> > Diff:
> > https://www.ietf.org/rfcdiff?url2=draft-gont-v6ops-ipv6-ehs-packet-d
> > ro
> > ps-04
> >
> > Abstract:
> >     This document summarizes the security and operational implications of
> >     IPv6 extension headers, and attempts to analyze reasons why packets
> >     with IPv6 extension headers may be dropped in the public Internet.
> >
> >
> >
> >
> > Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org.
> >
> > The IETF Secretariat
> >
> >
> >
> > _______________________________________________
> > v6ops mailing list
> > v6ops@ietf.org
> > https://www.ietf.org/mailman/listinfo/v6ops
> >
> > _______________________________________________
> > v6ops mailing list
> > v6ops@ietf.org
> > https://www.ietf.org/mailman/listinfo/v6ops
> >
> > _______________________________________________
> > v6ops mailing list
> > v6ops@ietf.org
> > https://www.ietf.org/mailman/listinfo/v6ops

v2.23.0 | Report a Bug | By Email