Tom, We seem to be talking past one another.
Would you objection be satisfied if I deleted the sentence? Ron > -----Original Message----- > From: Tom Herbert <t...@herbertland.com> > Sent: Wednesday, January 16, 2019 3:03 PM > To: Ron Bonica <rbon...@juniper.net> > Cc: int-area <int-area@ietf.org> > Subject: Re: [Int-area] WGLC on draft-ietf-intarea-frag-fragile-05 (Tom > Herbert) > > On Wed, Jan 16, 2019 at 11:40 AM Ron Bonica <rbon...@juniper.net> wrote: > > > > Inlineā¦.. > > > > > > > > From: Tom Herbert <t...@herbertland.com> > > Sent: Wednesday, January 16, 2019 2:27 PM > > To: Ron Bonica <rbon...@juniper.net> > > Cc: int-area <int-area@ietf.org> > > Subject: Re: [Int-area] WGLC on draft-ietf-intarea-frag-fragile-05 > > (Tom Herbert) > > > > > > > > > > > > On Tue, Jan 15, 2019, 6:17 PM Ron Bonica <rbon...@juniper.net wrote: > > > > Tom, > > > > Please take a look at Section 4.3 (Stateless Firewalls). How can the > > stateless > firewall behave optimally without maintaining state? > > > > > > > > Ron, > > > > > > > > A stateless firewall that maintains state is no longer a stateless firewall. > Introducing state requires memory and additional logic that are at odds with > the goal of cheap low end devices. > > > > > > > > True, but orthogonal to the issue at hand. You asked why a middle box might > need to maintain state to perform properly. I offered the example of a > firewall. In the presence of fragments, only a stateful firewall can perform > its > intended task. > > > Ron, > > I don't follow. If the intended task is to drop packets based on some filter > then > dropping the first fragment meets the requirement. If the intent is something > else then the requirements should be enumerated. > Neither do I understand why a stateful firewall uniquely satisfies the > requirements without breaking others. All we know from the description is > that they're stateful, but we don't know how they should manage and using > state nor the requirements they have followed. Think of it this way, if I > were a > manufacturer of a stateless device and I read the draft I might be convinced > of > the recommedation that I need to add state to my devices. But then what does > that mean? Where is the specification and requirements that tells me how to > do that? > > Tom > > > > > > > > > > > A stateless firewall could just drop the first fragment that contains the > transport layer header and allow non first fragments to past. This achieves > the > filtering goal to prevent delivery of the reassmbled packet. It does mean > fragments that can't possibly be reassembled make it to the destination. > Whether or not that is a mere nuisance or causes real problems that creates a > DOS vector depends on other factors in deployment. > > > > > > > > It is at least a nuisance and at worst a DOS vector. > > > > > > > > Also, if state is required then what is the algorithm that uses that state? > > in > section 4.6 virtual reassembly is mentioned in passing, but they goes on to > say > that has problems. It's also true that stateful firewalls inevitably break > multi- > path but stateless firewalls don't which is a big advantage. It's not clear > to me > that making stateless firewalls stateful is an improvement. > > > > > > > > This is beyond the scope of this document. > > > > > > > > Ron > > > > > > > > > > > > Tom > > > > > > > > > > > > > > While flow labels may help in the case of load balancers, the don't help at > > all > in the case of stateless firewalls. > > > > > > Ron > > > > > Secondly, the only specified interaction between fragmentation and > > > intermediate nodes is that routers can fragment packets in IPv4. > > > Other than that, a middlebox that complies with RFC791 and RFC8200 > > > does not process or consider fragmentation of packets. Given that, > > > it's unclear to me why middle boxes would need to maintain state to > > > be protocol compliant. It's possible that the implicit exception of > > > the requirement is that middleboxes might perform "in-network > reassembly" > > > or "virtual reassemlby" which would require state. If that is indeed > > > the case then the requirements for the mechanisms should be spelled out. > > > > > > For stateless load balancing (described in section 4.4), the IPv6 > > > flow label obviates the need for DPI. It is sufficient to hash over > > > the three tuple <saddr, daddr, flow label> to get good load > > > balancing. All major OSes have been updated to set flow labels, and there > are devices that already support this. > > > IMO, the draft should make using flow label for stateless load > > > balancing a SHOULD. > > > > > > Tom > > > > _______________________________________________ > > Int-area mailing list > > Int-area@ietf.org > > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mail > > man_listinfo_int-2Darea&d=DwIFaQ&c=HAkYuh63rsuhr6Scbfh0UjBXeMK- > ndb3voD > > TXcWzoCI&r=Fch9FQ82sir-BoLx84hKuKwl- > AWF2EfpHcAwrDThKP8&m=9zVoUdr9_Qfuu > > va6rZQ-CZAiv- > hwpTgbMYOwTZQk5CY&s=cVqZEBCUgpPByE1PsvHyK7FzO1NuJmVuPdOCv > > bfWfGs&e= _______________________________________________ Int-area mailing list Int-area@ietf.org https://www.ietf.org/mailman/listinfo/int-area