On Jun 10, 2013 8:56 PM, "Brian E Carpenter" <brian.e.carpen...@gmail.com> wrote: > > On 11/06/2013 15:44, cb.list6 wrote: > > On Jun 10, 2013 8:34 PM, "Brian E Carpenter" < brian.e.carpen...@gmail.com> > > wrote: > >> On 11/06/2013 15:21, cb.list6 wrote: > >>> On Jun 10, 2013 7:23 PM, "Fernando Gont" <fg...@si6networks.com> wrote: > >>>> Folks, > >>>> > >>>> We're currently editing the aforementioned I-D. So far, the I-D just > >>>> required that the entire IPv6 header chain be present in the first > >>> fragment. > >>>> Based on recent/ongoing discussions on the 6man and v6ops lists, there > >>>> seems to be quite a few folks pushing the idea of limiting the size f > >>>> the IPv6 header chain to some value (typically in the order of a few > >>>> hundred bytes). > >>>> > >>>> An earlier version of draft-ietf-6man-oversized-header-chain limited > > the > >>>> header chain to 1280 bytes, but this requirement was later removed. > >>>> > >>>> However, since then a number of folks have produced real world data > >>>> which indicates that packets "won't make it to the destination node" if > >>>> the header chain is larger than a few hundred bytes, and I believe > > that, > >>>> overall, our understanding of the problem and situation has increased > >>>> since then. > >>>> > >>>> My question to th wg is: > >>>> > >>>> 1) Do we want to limit the size of the IPv6 header chain? > >>>> > >>>> 2) If so, which limit should we pick? > >>>> > >>> It's not the size, it is how you use it. > >>> > >>> I would suggest "common types" be permitted (tcp, udp, sctp, icmpv6, > > frag, > >>> esp, ah) while anything else must be behind an esp. This ensures all > >>> parties agree that further arbitrary headers will only be processed by > > the > >>> concenting end systems. > >> Truly, you won't get consensus for that; it isn't realistic. I think we're > >> already very near consensus on an unconstrained limit in the 128/256 > >> area. > >> > >> Brian > >> > > > > Concenus from who? Ghosts of protocols past? Or what one fellow calls the > > "ipv6 priesthood" Is this yet another RA vs DHCPv6 disconnect? > > No, from the discussion on these two lists in the last > week or so. > > > > But what does 128/256 mean to a network operator? Load balancer or fw or > > router vendor? > > It means the size that leading-edge hw can inspect at line speed, > from what a number of operators have been saying. > > > > > I believe meaningful guidance must be provided in terms of permutations > > that can be expressed in what the common folk call an "access list". > > That's a second level issue and it isn't future-proof. It may well be > useful to document reasonable and unreasonable combinations of > extension headers, in terms of expectations of what firewalls might > be looking for, but there's no one-size-fits-all answer, especially > when you include extensions that haven't been invented yet. > > > > > Simply saying that there can be arbitrary chaining of x bytes long does not > > benefit anyone in a practical way, afaik. > > IMHO it does; for a start it makes it clear that (say) 257 bytes of > headers have a vanishingly small chance of getting through the > network, and that's much more guidance than we give today. And it > gives hardware designers a target that seems to relate to reality. > > Brian
I believe Warren's data hints at the idea that the packets will vanish if they don't fit a very specific profile. CB > > > > CB > > > >>> CB > >>>> Thanks! > >>>> > >>>> Best regards, > >>>> -- > >>>> Fernando Gont > >>>> SI6 Networks > >>>> e-mail: fg...@si6networks.com > >>>> PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 > >>>> > >>>> > >>>> > >>>> > >>>> -------------------------------------------------------------------- > >>>> IETF IPv6 working group mailing list > >>>> ipv6@ietf.org > >>>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > >>>> -------------------------------------------------------------------- > >>> > >>> ------------------------------------------------------------------------ > >>> > >>> -------------------------------------------------------------------- > >>> IETF IPv6 working group mailing list > >>> ipv6@ietf.org > >>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > >>> -------------------------------------------------------------------- > >
-------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
