On 11/06/2013 15:44, cb.list6 wrote:
> On Jun 10, 2013 8:34 PM, "Brian E Carpenter" <brian.e.carpen...@gmail.com>
> wrote:
>> On 11/06/2013 15:21, cb.list6 wrote:
>>> On Jun 10, 2013 7:23 PM, "Fernando Gont" <fg...@si6networks.com> wrote:
>>>> Folks,
>>>>
>>>> We're currently editing the aforementioned I-D. So far, the I-D just
>>>> required that the entire IPv6 header chain be present in the first
>>> fragment.
>>>> Based on recent/ongoing discussions on the 6man and v6ops lists, there
>>>> seems to be quite a few folks pushing the idea of limiting the size f
>>>> the IPv6 header chain to some value (typically in the order of a few
>>>> hundred bytes).
>>>>
>>>> An earlier version of draft-ietf-6man-oversized-header-chain limited
> the
>>>> header chain to 1280 bytes, but this requirement was later removed.
>>>>
>>>> However, since then a number of folks have produced real world data
>>>> which indicates that packets "won't make it to the destination node" if
>>>> the header chain is larger than a few hundred bytes, and I believe
> that,
>>>> overall, our understanding of the problem and situation has increased
>>>> since then.
>>>>
>>>> My question to th wg is:
>>>>
>>>> 1) Do we want to limit the size of the IPv6 header chain?
>>>>
>>>> 2) If so, which limit should we pick?
>>>>
>>> It's not the size, it is how you use it.
>>>
>>> I would suggest "common types" be permitted (tcp, udp, sctp, icmpv6,
> frag,
>>> esp, ah) while anything else must be behind an esp. This ensures all
>>> parties agree that further arbitrary headers will only be processed by
> the
>>> concenting end systems.
>> Truly, you won't get consensus for that; it isn't realistic. I think we're
>> already very near consensus on an unconstrained limit in the 128/256
>> area.
>>
>> Brian
>>
>
> Concenus from who? Ghosts of protocols past? Or what one fellow calls the
> "ipv6 priesthood" Is this yet another RA vs DHCPv6 disconnect?
No, from the discussion on these two lists in the last
week or so.
>
> But what does 128/256 mean to a network operator? Load balancer or fw or
> router vendor?
It means the size that leading-edge hw can inspect at line speed,
from what a number of operators have been saying.
>
> I believe meaningful guidance must be provided in terms of permutations
> that can be expressed in what the common folk call an "access list".
That's a second level issue and it isn't future-proof. It may well be
useful to document reasonable and unreasonable combinations of
extension headers, in terms of expectations of what firewalls might
be looking for, but there's no one-size-fits-all answer, especially
when you include extensions that haven't been invented yet.
>
> Simply saying that there can be arbitrary chaining of x bytes long does not
> benefit anyone in a practical way, afaik.
IMHO it does; for a start it makes it clear that (say) 257 bytes of
headers have a vanishingly small chance of getting through the
network, and that's much more guidance than we give today. And it
gives hardware designers a target that seems to relate to reality.
Brian
>
> CB
>
>>> CB
>>>> Thanks!
>>>>
>>>> Best regards,
>>>> --
>>>> Fernando Gont
>>>> SI6 Networks
>>>> e-mail: fg...@si6networks.com
>>>> PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
>>>>
>>>>
>>>>
>>>>
>>>> --------------------------------------------------------------------
>>>> IETF IPv6 working group mailing list
>>>> ipv6@ietf.org
>>>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>>>> --------------------------------------------------------------------
>>>
>>> ------------------------------------------------------------------------
>>>
>>> --------------------------------------------------------------------
>>> IETF IPv6 working group mailing list
>>> ipv6@ietf.org
>>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>>> --------------------------------------------------------------------
>
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
