IETF Logo Mail Archive

Re: [v6ops] WG Doc? draft-gont-v6ops-ipv6-ehs-packet-drops

otroan@employees.org Tue, 15 March 2016 10:12 UTC

Return-Path: <otroan@employees.org>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87A2212D51A for <v6ops@ietfa.amsl.com>; Tue, 15 Mar 2016 03:12:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=employees.org; domainkeys=pass (1024-bit key) header.from=otroan@employees.org header.d=employees.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QLU606ZQsCMT for <v6ops@ietfa.amsl.com>; Tue, 15 Mar 2016 03:12:15 -0700 (PDT)
Received: from cowbell.employees.org (cowbell.employees.org [IPv6:2001:1868:a000:17::142]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 32C3612D512 for <v6ops@ietf.org>; Tue, 15 Mar 2016 03:12:15 -0700 (PDT)
Received: from cowbell.employees.org (localhost [127.0.0.1]) by cowbell.employees.org (Postfix) with ESMTP id 96D17D7884; Tue, 15 Mar 2016 03:12:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=employees.org; h=subject :mime-version:content-type:from:in-reply-to:date:cc:message-id :references:to; s=selector1; bh=uWDmdRKxVGx0u0iPZ9sj0ee2vlY=; b= n+5OtIMwyBNTgbtWKEEht39iS/cvaZwfCJH/QVEiraYHfQ5c5JPa7CbCs1ZNbu/H SeM1okTfA+MagCyHlyNXeoeQ0eUZPgpXVnJ66n7TZoT/P51lE2GWkBsn3XTz1s1T 3jGqAcyu2+oJvsXqiXj2WhqjDSU/Ij1JCc8ECKYYHhI=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=employees.org; h=subject :mime-version:content-type:from:in-reply-to:date:cc:message-id :references:to; q=dns; s=selector1; b=cMKmGyDmB1b7Yrig8zLTvVYEIB AW833RKh6rocaoAqg+9T5VaaH0MSEmV07qjEZmOmnjGPD1jUkw6xuhlzE/6g5aAT /lhp0az+tGTQTtHNTpf+HlmUHr1xzXFUx13AQOwPO+eSGMa0OWP6Ws0JHNZQb9eM tpTWhTY8H+KJZF2po=
Received: from h.hanazo.no (unknown [173.38.220.45]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: otroan) by cowbell.employees.org (Postfix) with ESMTPSA id 28D2AD7881; Tue, 15 Mar 2016 03:12:14 -0700 (PDT)
Received: from [IPv6:::1] (localhost [IPv6:::1]) by h.hanazo.no (Postfix) with ESMTP id E2612129CB29; Tue, 15 Mar 2016 11:12:11 +0100 (CET)
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
Content-Type: multipart/signed; boundary="Apple-Mail=_C7BC44FC-BD99-468F-B511-C5C90FF3FAAA"; protocol="application/pgp-signature"; micalg="pgp-sha512"
X-Pgp-Agent: GPGMail 2.6b2
From: otroan@employees.org
In-Reply-To: <CAHw9_iLbqEvsw0x4dDcA3Zy3SXKUROcQuy5nSynsL9Xi+xrZLg@mail.gmail.com>
Date: Tue, 15 Mar 2016 11:12:10 +0100
Message-Id: <566C93D0-62FF-4700-BC05-7F9AF12AF1BD@employees.org>
References: <A277BE71-BD70-4AFE-97DA-F224D7DBBCB8@cisco.com> <BDA56C2D-788D-421C-B44A-1A29578F0F78@employees.org> <56E318C7.5020200@gmail.com> <F57DFD38-FC99-45AE-B41D-51B0565148B1@employees.org> <CALx6S37vNXk-g=W4n_Qvd2J=7xkgydvGEUwrhu8pRQig0hoqLg@mail.gmail.com> <1BB37194-0F5B-45C1-9DFA-87B1C28264D2@employees.org> <CALx6S37vfDcchTa5Tch+BS8rQAGgPP_EeYbVz19WBchSHTqExg@mail.gmail.com> <56E60B0D.6070600@gmail.com> <CALx6S36_Vi4XZfPvCNY42zpbXy9dXeXzwE8KedxYDhne371HHA@mail.gmail.com> <56E6326B.2090303@gmail.com> <CALx6S353ognNHWnjbNSdW5hb_e6Hv3LqLa_r+e9yEW4F=cjH=A@mail.gmail.com> <56E6FC18.1060304@foobar.org> <CALx6S35pcSj_LLnDWJ68KwSYiHeu6FwrXTaR4N2xE6aY7MRO1A@mail.gmail.com> <CAHw9_iLbqEvsw0x4dDcA3Zy3SXKUROcQuy5nSynsL9Xi+xrZLg@mail.gmail.com>
To: Warren Kumari <warren@kumari.net>
X-Mailer: Apple Mail (2.3112)
Archived-At: <http://mailarchive.ietf.org/arch/msg/v6ops/j5aZBbDga3Puy9noPJ-9VffG8f8>
Cc: "v6ops@ietf.org" <v6ops@ietf.org>
Subject: Re: [v6ops] WG Doc? draft-gont-v6ops-ipv6-ehs-packet-drops
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Mar 2016 10:12:17 -0000

Warren,

[...]

> Yup. Ubiquitous flow labels will solve *one* of the issues with long header chains, but in the remaining cases (my personal bugbear is filtering (for dos and ingress / edge filters)) the hardware still need to be capable of doing it (at line-rate).

I never understood from the draft what the other use cases were, but those are the ones? ingress/edge filters and DOS attacks?

from the perspective of a software forwarding path.
parsing the extension header chain is _always_ going to be slower than not doing it. that in itself can be considered opening your implementation up to DOS attacks, but oh well.

can ingress / edge filters be done in two stages? core routers only filter on SA/DA while whatever infrastructure function you need to reach apply deeper filters?

for DOS attacks, are those filters put in place dynamically? what does a typical attack look like? can you identify it without having to parse EHs? how often are you not able to identify it even when looking deep? any papers/reports on this?

Best regards,
Ole

PS: In BA we're trying to do a project on VPP for the IETF hackathon, if anyone is interested in implementing EH filtering / parsing and measure the performance impact on that, it would be very welcome. (VPP is a open source high performance software data plane running on commodity hardware.)

v2.23.0 | Report a Bug | By Email