Hi, Brian, On 08/20/2014 01:02 AM, Brian E Carpenter wrote: >> >> What does "downstream" mean? Do you mean "the host does not know if the >> other host it's talking to is behind a SIIT translator"? Or something else? > > No, exactly that. SIIT is defined as a stateless translation, > and there's no direct way for a host to know it exists. So if > you get a PTB for <1280, you simply don't know if it's from a > real translator or not in the general case. That's why there's > a DOS risk in the first place. > > It would be interesting to know if this matters. It only matters > if there is a significant number of operational paths with the > combination of SIIT and small IPv4 MTUs. I think we need more > data before 6man considers making an incompatible change.
Truth is that, at this point in time, you will not find any significant number of SIIT deployments for any kind of measurements to be to have any significance. It would also depend on the kind of SIIT deployment: * If the translator is closer to the client, I'd expect that IPv4 path has at least the 1280 bytes. * OTOH, if SIIT is being deployed closer to the server (IPv6-only datacenter sort of thing), then the IPv4 could be... anything (although, I'd still expect the vast majority to have MTUs of at least 1280 bytes). But in this case, you really want to avoid IPv6 fragmentation as much as possible, since sending IPv6 fragments greatly reduces the chances of your packets from getting there. In any case, I think that there are some factors to consider here: * At least some popular OSes were not generating IPv6 atomic fragments as expected (that includes some rather recent versions of FreeBSD and Mac OS X). Hence the most robust option is to gracefully handle the case where the IPv6 node does not generate IPv6 atomic fragments. * And we're certainly not at a stage in which SIIT deployments are "the rule". Hence, the earlier this is fixed, the cheaper it gets. Thanks, -- Fernando Gont SI6 Networks e-mail: [email protected] PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
