Hi Brian, > -----Original Message----- > From: Brian E Carpenter [mailto:brian.e.carpenter@xxxxxxxxx] > Sent: Monday, October 14, 2013 12:34 PM > To: Templin, Fred L > Cc: Fernando Gont; Ray Hunter; 6man Mailing List; ietf@xxxxxxxx > Subject: Re: Last Call: <draft-ietf-6man-oversized-header-chain-08.txt> > (Implications of Oversized IPv6 Header Chains) to Proposed Standard > > Fred, > > On 15/10/2013 06:38, Templin, Fred L wrote: > ... > >> We could have that discussion in 6man, sure, but I don't believe > that > >> it's > >> relevant to the question of whether draft-ietf-6man-oversized- > header- > >> chain > >> is ready. > > > > If it messes up tunnels, then it's not ready. > > That doesn't follow. See below. > > >> This draft mitigates a known problem in terms of the current > >> IPv6 standards. > > > > If that problem is also mitigated by a measure that does not mess > > up tunnels, then wouldn't that be worth considering before > > finalizing this publication. > > The draft mitigates a known problem with communication paths that > do not include nested tunnels requiring nested fragmentation, > where the nested tunnel has to deal with an MTU <1280 *and* where > the nested tunnel goes through a firewall that wants to analyse > the complete header chain of the innermost packet. But tunnels - and tunnels within tunnels - need to be considered as part of the architecture. I have visibility into the network operations of a major multi-national corporation, and I can tell you that I see tunnels within tunnels in operational practice today. I also have visibility into civil aviation and DoD networks, and I see an emerging trend for mobile networks. Consider a mobile network B that comes onto a link offered by mobile network A. Then, mobile network C comes onto a link offered by B. Then, etc. Then, the next thing you know, it's turtles all the way down. Fragmentation is the tool that enables endless recursion. Or, at least, recursion up to some defined limit. At least for the first several levels of recursion, middleboxes should be able to see all host-inserted headers within the first fragment. Thanks - Fred fred.l.templin@xxxxxxxxxx > No, I don't think it's worth considering that case before specifying > this mitigation. > > Brian