Hello, Tom, On 20/2/21 12:32, Tom Herbert wrote: [...]
On the other hand, there are use cases where it does work and is in deployment; in fact, there are use cases where it's the *only* way to do in flow classification on packets. The implicit requirement of this draft here is that packets have port numbers in plain text, however that is not possible in no-first fragments, tunnel mode IPsec, tunnling protocols the routers don't understand, etc.
What we describe in our document is how this applies to the general case, and what the operational reality indicates.
For virtually anything, you can always find a scenario where things work.
With regards to extension headers, the presumed problem isn't that the port numbers are present, it's that some, not all, routers have limited capabilities to parse over EHs to find the transport headers.
That's a fact, rather than a presumption.
This is reflected in the statement: "If an IPv6 header chain is sufficiently long that it exceeds the packet look-up capacity of the router, the router might be unable to determine how the packet should be handled, and thus could resort to dropping the packet." It's not to me clear what "sufficiently long" means; in particular, such a statement isn't helpful to the host stack developer trying to figure out if the packets they're creating will be properly forwarded.
"Long enough" for the router handling the packet. There are different vendors, and different models. S the specific value will vary across router vendors and models. In our document, we reference two sample values -- but they are certainly not the only ones.
For the purpose of providing use guidance to the host stack developers, can you please clarify exactly what "sufficiently long" is? For instance, is it reasonable to expect that modern routers should be able forward packets that contain sixty-four bytes of Destination Options, or Routing Header, or HBH Options?
That's out of the scope of this document. That said, RFC7872 might help to answer such question.
Note that RFC8504 and RFC8883 do discuss processing limits being exceeded in terms of the protocol considerations (in fact, RFC8504 recommends a specific default limits on the maximum number of HBH and DestOpt options a host will process in order to mitigate the "DoS due to processing requirements" issue raised in 7.4 of this draft).
The possibility of DoS is simply described as one of the possible implications of EHs. As noted in the document, while there might be filtering policies employed to mitigate DoS attacks, in many cases routers resort to dropping packets containing EHs because they prevent the router from accessing layer-4 information the router may need to process to decide what to do with the packet.
Thanks, -- Fernando Gont SI6 Networks e-mail: fgont@xxxxxxxxxxxxxxx PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
