Re: [v6ops] WG Doc? draft-gont-v6ops-ipv6-ehs-packet-drops

Nick Hilliard <> Fri, 18 March 2016 15:59 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 41F8312D6B0 for <>; Fri, 18 Mar 2016 08:59:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id WbHjrkbQ4f_z for <>; Fri, 18 Mar 2016 08:59:29 -0700 (PDT)
Received: from ( [IPv6:2a03:8900:0:100::5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 972B312D56F for <>; Fri, 18 Mar 2016 08:59:29 -0700 (PDT)
Received: from ( [] (may be forged)) (authenticated bits=0) by (8.15.2/8.14.9) with ESMTPSA id u2IFxGLt059075 (version=TLSv1 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 18 Mar 2016 15:59:16 GMT (envelope-from
X-Authentication-Warning: Host [] (may be forged) claimed to be
Message-ID: <>
Date: Fri, 18 Mar 2016 15:59:14 +0000
From: Nick Hilliard <>
User-Agent: Postbox 4.0.8 (Macintosh/20151105)
MIME-Version: 1.0
To: "Fred Baker (fred)" <>
References: <> <> <> <> <> <> <> <> <> <> <> <56E98086.504> <> <> <> <56EA93C0.104090> <> <d6967727-1fd6-1d43-0fbb-> <> <> <>
In-Reply-To: <>
X-Enigmail-Version: 1.2.3
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Archived-At: <>
Cc: Fernando Gont <>, "" <>
Subject: Re: [v6ops] WG Doc? draft-gont-v6ops-ipv6-ehs-packet-drops
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: v6ops discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 18 Mar 2016 15:59:32 -0000

Fred Baker (fred) wrote:
> In there first statement, you assert that we're looking at a protocol
> problem. We may be, but that's not obvious to me.

for non-trivial EH chains, most people seem to be acknowledging that
start-to-end EH chain walking is too difficult for vendors to implement
in silicon and is too expensive to handle in software.  Vendors could
implement it, but the cost-to-return ratio doesn't work.

If the ietf designs a protocol which is too difficult / expensive for
vendors to implement or where the cost-to-return doesn't work, then the
problem lies with the protocol definition, not with the vendors' lack of
inclination to implement it.

> There is an issue
> with HBH headers, or at least with their implementation, which we are
> looking at in draft-ietf-6man-hbh-header-handling.

hbh is a separate issue and we should probably park that for this

> Nalini Elkins has
> a problem with the lack of a counterpart to the IPv4 ident field,
> which she wants to address with a Destination Option in
> draft-ietf-ippm-6man-pdm-option. Several folks have issues with
> fragmentation and reassembly (draft-bonica-6man-frag-deprecate), but
> that is more about security policy and perceived application designer
> laziness than about issues with the header; it in fact fragments and
> reassembles if used for that purpose, and AFAIK is widely
> implemented.

The ipv6-ehs-in-real-world draft notes that if you attach a
fragmentation extension header to a packet, it stands a good chance of
being dropped on the floor.  Protocols don't work when they are dropped
by the network.  This matters for frags / ipsec.

> You go on to say that IPv6 Extension Headers implement core
> functionality. I'll agree that the Security Header is core; I go to
> work using one of a couple of VPN technologies, and packet layer
> encryption is central to both. I'm hard pressed to say that the other
> headers are core;

ipsec and fragmentation are the two EHs that concern me.  Other people
may have other opinions.  Personally, I see no future for either RH or
HBH headers, but that is a personal opinion.

> some different processing algorithm". The only one we have deprecated
> is RH0, and even there, the issue isn't that RH0 can't be used to
> implement what in IPv4 we would call a Loose Source Route and Record;
> it's that even in IPv4 we decided that having that option was a
> security nightmare.

agreed.  IPv4 options stopped working in the mid 90s but no-one noticed
because they didn't do anything very important.  The result is that
there is plenty of silicon being sold today which is unable to forward
packets with ipv4 options, and no-one cares.

> If we're looking at a protocol problem, we should be able to describe
> proposed changes to the protocol to fix it. I'm not hearing such
> things described, apart from draft-wkumari-long-headers.
> Is the issue addressed in draft-wkumari-long-headers what we're
> talking about? If so, can we discard the bluster in tone and say
> that? Is there another issue? Can we describe it?

The draft deliberately avoids prescription of a fix. First, there are a
lot of people in this WG claiming that there isn't a problem in the
first place and second, the authors want to try to get consensus that
there is a problem before prescribing a fix.

The authors have discussed this offline and feel that if the WG came to
a consensus that there is a problem, that it would be better to poll the
WG about potential fixes or workarounds.

Personally, I think there is a problem and that the problem could be
helped in the long term by drastically reining in the EH chain limits
prescribed in 7112 (namely, 1280 bytes).

If there are minimum acceptable limits imposed, then the obvious choices
would either to limit by the number of headers or the number of octets
used for headers.  The latter would be much simpler to implement.
Gaining consensus on a reasonable value for either would be very
difficult because the IETF has a long history of having difficulties
settling on what are ultimately arbitrary numbers.  From a practical
point of view, vendor input might be advisable, but I fear this is
bikeshed territory.

draft-wkumari-long-headers discourages EHs completely.  Personally, I
don't think this is workable because of ipsec / fragmentation requirements.

draft-zhang-6man-offset-option is also not ideal.  From a technical
point of view, it is difficult to implement due to packet lookahead
limitations in silicon.  Also the IPR statement allows retaliatory
infringement action, which some people may have issues with.