Re: [v6ops] [Last-Call] Tsvart last call review of draft-ietf-v6ops-ipv6-ehs-packet-drops-05

Fernando Gont <> Tue, 09 March 2021 23:03 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B39E83A109E; Tue, 9 Mar 2021 15:03:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.89
X-Spam-Status: No, score=-1.89 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, T_SPF_TEMPERROR=0.01] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id FMPsbKu576uL; Tue, 9 Mar 2021 15:03:24 -0800 (PST)
Received: from ( [IPv6:2001:67c:27e4::14]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 1258E3A1094; Tue, 9 Mar 2021 15:03:22 -0800 (PST)
Received: from [] (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 3716B280AA1; Tue, 9 Mar 2021 23:03:07 +0000 (UTC)
To: Tom Herbert <>, Fred Baker <>
Cc: Mark Smith <>, Gorry Fairhurst <>, IPv6 Operations <>,,,
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
From: Fernando Gont <>
Message-ID: <>
Date: Tue, 9 Mar 2021 20:03:03 -0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.1
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [v6ops] [Last-Call] Tsvart last call review of draft-ietf-v6ops-ipv6-ehs-packet-drops-05
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 09 Mar 2021 23:03:28 -0000

On 9/3/21 19:07, Tom Herbert wrote:
> Yes, ACLs on transport layer ports are common requirements, however
> the problem arises from related requirements that arise due to the
> limitations of routers to be able to locate the transport layer
> information in a packet. An example of such an implied requirement
> from this draft is "don't send packets with IPv6 header chains that
> are too long because some routers can't parse deep enough into packets
> to find the transport layer ports due to implementation constraints
> (like limited size parsing buffer)".

You seem to be reading more from the document than what we actually said 
in the document.

There are no requirements in this document. We simply explain things 
operators need to do, what are the associated limitations in real-world 
devices, and what's the likely outcome.

That's not an implied requirement, but simply a description of facts.

> While the rationale for the
> requirement may make sense, the problem, at least from the host stack
> perspective of trying to send packets with low probability they'll be
> dropped, is that a requirement that "don't IPv6 header chains that are
> too long" is is useless without any quantification as exactly to what
> "too long" might be.

"too long" for the processing device(s). You don't know what devices 
will process your packets, hence cannot even guess what "too long" might 

What you know for sure is that the longer the chain, the lower the 
chances of your packets surviving -- as per RFC7872.

Fernando Gont
SI6 Networks
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492