RE: Last Call: <draft-ietf-6man-oversized-header-chain-08.txt> (Implications of Oversized IPv6 Header Chains) to Proposed Standard

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Brian,

> -----Original Message-----
> From: Brian E Carpenter [mailto:brian.e.carpenter@xxxxxxxxx]
> Sent: Monday, October 14, 2013 12:34 PM
> To: Templin, Fred L
> Cc: Fernando Gont; Ray Hunter; 6man Mailing List; ietf@xxxxxxxx
> Subject: Re: Last Call: <draft-ietf-6man-oversized-header-chain-08.txt>
> (Implications of Oversized IPv6 Header Chains) to Proposed Standard
> 
> Fred,
> 
> On 15/10/2013 06:38, Templin, Fred L wrote:
> ...
> >> We could have that discussion in 6man, sure, but I don't believe
> that
> >> it's
> >> relevant to the question of whether draft-ietf-6man-oversized-
> header-
> >> chain
> >> is ready.
> >
> > If it messes up tunnels, then it's not ready.
> 
> That doesn't follow. See below.
> 
> >> This draft mitigates a known problem in terms of the current
> >> IPv6 standards.
> >
> > If that problem is also mitigated by a measure that does not mess
> > up tunnels, then wouldn't that be worth considering before
> > finalizing this publication.
> 
> The draft mitigates a known problem with communication paths that
> do not include nested tunnels requiring nested fragmentation,
> where the nested tunnel has to deal with an MTU <1280 *and* where
> the nested tunnel goes through a firewall that wants to analyse
> the complete header chain of the innermost packet.

But tunnels - and tunnels within tunnels - need to be considered
as part of the architecture. I have visibility into the network
operations of a major multi-national corporation, and I can tell
you that I see tunnels within tunnels in operational practice today.
I also have visibility into civil aviation and DoD networks, and
I see an emerging trend for mobile networks. Consider a mobile
network B that comes onto a link offered by mobile network A.
Then, mobile network C comes onto a link offered by B. Then, etc.
Then, the next thing you know, it's turtles all the way down.

Fragmentation is the tool that enables endless recursion. Or, at
least, recursion up to some defined limit. At least for the first
several levels of recursion, middleboxes should be able to see all
host-inserted headers within the first fragment.

Thanks - Fred
fred.l.templin@xxxxxxxxxx


> No, I don't think it's worth considering that case before specifying
> this mitigation.
> 
>      Brian





[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]