ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Last Call: <draft-ietf-6man-oversized-header-chain-08.txt> (Implications of Oversized IPv6 Header Chains) to Proposed Standard

2013-10-14 14:56:09
from [Templin, Fred L] [Permanent Link] 
Hi Brian,


-----Original Message-----
From: Brian E Carpenter 
[mailto:brian(_dot_)e(_dot_)carpenter(_at_)gmail(_dot_)com]
Sent: Monday, October 14, 2013 12:34 PM
To: Templin, Fred L
Cc: Fernando Gont; Ray Hunter; 6man Mailing List; ietf(_at_)ietf(_dot_)org
Subject: Re: Last Call: <draft-ietf-6man-oversized-header-chain-08.txt>
(Implications of Oversized IPv6 Header Chains) to Proposed Standard

Fred,

On 15/10/2013 06:38, Templin, Fred L wrote:
...

We could have that discussion in 6man, sure, but I don't believe

that

it's
relevant to the question of whether draft-ietf-6man-oversized-

header-

chain
is ready.


If it messes up tunnels, then it's not ready.


That doesn't follow. See below.


This draft mitigates a known problem in terms of the current
IPv6 standards.


If that problem is also mitigated by a measure that does not mess
up tunnels, then wouldn't that be worth considering before
finalizing this publication.


The draft mitigates a known problem with communication paths that
do not include nested tunnels requiring nested fragmentation,
where the nested tunnel has to deal with an MTU <1280 *and* where
the nested tunnel goes through a firewall that wants to analyse
the complete header chain of the innermost packet.


But tunnels - and tunnels within tunnels - need to be considered
as part of the architecture. I have visibility into the network
operations of a major multi-national corporation, and I can tell
you that I see tunnels within tunnels in operational practice today.
I also have visibility into civil aviation and DoD networks, and
I see an emerging trend for mobile networks. Consider a mobile
network B that comes onto a link offered by mobile network A.
Then, mobile network C comes onto a link offered by B. Then, etc.
Then, the next thing you know, it's turtles all the way down.

Fragmentation is the tool that enables endless recursion. Or, at
least, recursion up to some defined limit. At least for the first
several levels of recursion, middleboxes should be able to see all
host-inserted headers within the first fragment.

Thanks - Fred
fred(_dot_)l(_dot_)templin(_at_)boeing(_dot_)com



No, I don't think it's worth considering that case before specifying
this mitigation.

     Brian
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Last Call: Adding a fragment identifier to the text/csv media type(see <draft-hausenblas-csv-fragment-06.txt>), Pete Resnick
Next by Date:  Re: Of governments and representation (was: Montevideo Statement), Patrik Fältström
Previous by Thread:  Re: Last Call: <draft-ietf-6man-oversized-header-chain-08.txt> (Implications of Oversized IPv6 Header Chains) to Proposed Standard, Brian E Carpenter
Next by Thread:  RE: Last Call: <draft-ietf-6man-oversized-header-chain-08.txt> (Implications of Oversized IPv6 Header Chains) to Proposed Standard, Templin, Fred L
Indexes:  [Date] [Thread] [Top] [All Lists]