Re: [v6ops] Some stats on IPv6 fragments and EH filtering on the Internet

Brian E Carpenter <brian.e.carpenter@gmail.com> Tue, 05 November 2013 15:45 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4208D11E8105 for <v6ops@ietfa.amsl.com>; Tue, 5 Nov 2013 07:45:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.237
X-Spam-Level:
X-Spam-Status: No, score=-102.237 tagged_above=-999 required=5 tests=[AWL=-0.238, BAYES_00=-2.599, J_CHICKENPOX_31=0.6, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CMlwO0IJ3qt2 for <v6ops@ietfa.amsl.com>; Tue, 5 Nov 2013 07:45:30 -0800 (PST)
Received: from mail-ie0-x22f.google.com (mail-ie0-x22f.google.com [IPv6:2607:f8b0:4001:c03::22f]) by ietfa.amsl.com (Postfix) with ESMTP id 1973F11E81C9 for <v6ops@ietf.org>; Tue, 5 Nov 2013 07:45:30 -0800 (PST)
Received: by mail-ie0-f175.google.com with SMTP id aq17so14835878iec.20 for <v6ops@ietf.org>; Tue, 05 Nov 2013 07:45:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=syzYdPtYULy7YxnjaOseS1yoHhfWEKF7pLDlNa1Kpv4=; b=vZHgsZSphot11WMS6GI/0OZX9bwbWNr4p9p1WaNeJTP8BiXkhV0Ns9YNKVsVW14/UU atAlA46pySa7qABU7i8aen5/Hj/TuUmYJwP0TXVvGwn0ehaTB0ZcQvp/BoWvVNegpQPT 9mYvB4qcBqrdjmgFolJ4IIS5ouBTajDTKcKWXLMkx7CNclkp/sKW9LmcCE9d7Mp0wbjj S3PhDzLcPwdXiU6aLQ4rB9jXuOde7sy8WFyf1n27bxzEz/tp4wYv03SUy8uFq9VEG/2q 9O8LkNdtHCXTWESakdRpeCL0Q936rKgWVZc34W5hIoaIAa6yqCLhPDkFFWSHzWCvbW7x XjJg==
X-Received: by 10.50.12.71 with SMTP id w7mr12056534igb.32.1383666329449; Tue, 05 Nov 2013 07:45:29 -0800 (PST)
Received: from [31.133.148.174] (dhcp-94ae.meeting.ietf.org. [31.133.148.174]) by mx.google.com with ESMTPSA id w4sm8978480igb.5.2013.11.05.07.45.27 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 05 Nov 2013 07:45:28 -0800 (PST)
Message-ID: <52791299.9050301@gmail.com>
Date: Wed, 06 Nov 2013 04:45:29 +1300
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Jared Mauch <jared@puck.nether.net>
References: <5278275C.50206@gont.com.ar> <alpine.DEB.2.02.1311050028410.26054@uplift.swm.pp.se> <52783535.9030200@si6networks.com> <20131105001243.53E28985D0D@rock.dv.isc.org> <527839C6.3000805@viagenie.ca> <2134F8430051B64F815C691A62D98318148100@XCH-BLV-504.nw.nos.boeing.com> <F4AB804C-2C8E-40EF-ACE9-0A901E4F5122@employees.org> <52784DD1.7020106@gont.com.ar> <BD308F06-C9E2-42EB-9D23-CFD3432F1A1D@employees.org> <52785F34.6020606@si6networks.com> <A9F99218-AB14-45AA-B29D-7E1D7E4B93FC@employees.org> <5278E639.3040606@inex.ie> <C4864CA1-C8F4-45D6-944A-0E8BA073D4A7@employees.org> <5278E986.9050409@inex.ie> <C1BEE5D4-FDC2-4E4B-947D-CEC9E4F05E5D@employees.org> <5278EDAB.5030601@inex.ie> <52790CE7.6010506@gmail.com> <F326A8CA-50B4-4206-A98C-FE12E103DB35@puck.nether.net>
In-Reply-To: <F326A8CA-50B4-4206-A98C-FE12E103DB35@puck.nether.net>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Cc: Fernando Gont <fgont@si6networks.com>, "v6ops@ietf.org" <v6ops@ietf.org>, Fernando Gont <fernando@gont.com.ar>
Subject: Re: [v6ops] Some stats on IPv6 fragments and EH filtering on the Internet
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Nov 2013 15:45:32 -0000
X-List-Received-Date: Tue, 05 Nov 2013 15:45:32 -0000

> On Nov 5, 2013, at 10:21 AM, Brian E Carpenter <brian.e.carpenter@gmail.com> wrote:
> 
>> On 06/11/2013 02:07, Nick Hilliard wrote:
>>> On 05/11/2013 12:54, Ole Troan wrote:
>>>> why don't you filter out packets on the edge destined to your router's addresses?
>>>> instead of what's effectively breaking IPv6 service across the network.
>>> you can use infrastructure acls if they are handled carefully and don't
>>> depend on implicit "deny any any" (which has special handling for the
>>> "platform ipv6 acl fragment hardware").  But in order to implement this you
>>> need to protect every single link network connected to your PFC3s.  If your
>>> addressing plan is designed with this in mind, it's feasible.  If you have
>>> a very large network or if you've not handled your link address assignments
>>> very carefully, it's often not practical because it means dynamically
>>> maintaining huge access lists on every single device on the network.

>> I think Homer Simpson has a word for this situation.
>>
>> We *really* aren't going to deprecate fragmentation because of one
>> model of broken kit, are we?


On 06/11/2013 04:31, joel jaeggli wrote:

> Do you think there’s one model of broken kit?

Only one has been reported here. Of course I doubt if it's the only one
but it is very widely deployed.

On 06/11/2013 04:31, Jared Mauch wrote:

> I think the challenge here is that Cisco doesn't care to fix the problem
> inherent in their software/hardware integration issue here.  There is no
> structural correction of the defects in the software and nobody there takes
> ownership to correct it.
> 
> I've sadly seen this play out time and time again without anyone fixing basic
> infrastructure items that need correction.  They're unable to as it impacts
> too many sub-platforms/internal consumers of the code that don't see the value
> as it's not adding revenue.
> 
> Many of these headers (eg: hop-by-hop) are comparable to IPv4 features that
> are ignored or dropped by firewalls and routers (Eg: source-route, ecn, etc).
> 
> Without an explicit standard that says things MUST be supported that we can
> cite in RFP/RFI and broad coalition of purchasers it's difficult or impossible
> to change things.  Places like Cisco are too big to steer and correct the
> bad behavior.  I would love to be proven wrong, but years of experience tell
> me it's not going to get better.

I don't think there's any doubt whatever that fragmentation is a mandatory
part of the IPv6 standard. For the rest of the extension headers, the
requirement is in the RFC Editor queue and the new IANA registry
is already in place at
http://www.iana.org/assignments/ipv6-parameters/ipv6-parameters.xhtml#extension-header

   Brian