Internet DRAFT - draft-elkins-v6ops-eh-deepdive-fw

draft-elkins-v6ops-eh-deepdive-fw







IPv6 Operations                                                N. Elkins
Internet-Draft                                              M. Ackermann
Intended status: Best Current Practice                       INT Council
Expires: 24 April 2023                                          D. Dhody
                                      India Internet Engineering Society
                                                         21 October 2022


              Deep Dive into IPv6 Extension Header Testing
                  draft-elkins-v6ops-eh-deepdive-fw-01

Abstract

   IPv6 Extension Header testing is a complex area.  Studies have shown
   varying results.  This document proposes a methodology for isolating
   the location and reasons for IPv6 Extension Headers blockage.  This
   document outlines the basic framework and set of documents which will
   follow.

Discussion Venues

   This note is to be removed before publishing as an RFC.

   Discussion of this document takes place on the IPv6 Operations
   Working Group mailing list (v6ops@ietf.org), which is archived at
   https://mailarchive.ietf.org/arch/browse/v6ops/.

   Source for this draft and an issue tracker can be found at
   https://github.com/dhruvdhody/draft-elkins-v6ops-eh-deepdive-fw.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 24 April 2023.





Elkins, et al.            Expires 24 April 2023                 [Page 1]

Internet-Draft              Deep Dive IPv6 EH               October 2022


Copyright Notice

   Copyright (c) 2022 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Revised BSD License text as
   described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Revised BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Problem Description . . . . . . . . . . . . . . . . . . .   2
     1.2.  Fundamental Premises  . . . . . . . . . . . . . . . . . .   3
     1.3.  Diagnostic Methodology Overview . . . . . . . . . . . . .   5
   2.  EH Enabled Server / Client / Router . . . . . . . . . . . . .   7
     2.1.  Modifications to send EHs with application data . . . . .   7
     2.2.  Crafting packets with EH headers  . . . . . . . . . . . .   7
     2.3.  How to Add EH . . . . . . . . . . . . . . . . . . . . . .   8
     2.4.  Which EH to Use . . . . . . . . . . . . . . . . . . . . .   9
   3.  Rate of sending and sampling  . . . . . . . . . . . . . . . .   9
   4.  Security Considerations . . . . . . . . . . . . . . . . . . .   9
   5.  Privacy Considerations  . . . . . . . . . . . . . . . . . . .   9
   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   9
   7.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   9
     7.1.  Normative References  . . . . . . . . . . . . . . . . . .   9
     7.2.  Informative References  . . . . . . . . . . . . . . . . .  10
   Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . .  10
   Contributors  . . . . . . . . . . . . . . . . . . . . . . . . . .  10
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  10

1.  Introduction

1.1.  Problem Description

   IPv6 [RFC8200] Extension Headers (EHs) may be blocked at various
   points yet show the same symptom.  That is, if an EH is blocked at a
   router, it will appear to the client or measurement technique that
   the packet is dropped.  If an EH is blocked at a load balancer or
   CDN, the client will see the same symptom -- the packet is dropped.






Elkins, et al.            Expires 24 April 2023                 [Page 2]

Internet-Draft              Deep Dive IPv6 EH               October 2022


   This is a problem because when the same symptom can be the due to
   multiple factors, incorrect conclusions may be drawn from the
   results.  That is, if, for example, loss of the sense of taste of
   sweetness can be due either to a brain tumor or a minor neurological
   problem, then if someone has a tendency towards hypochondria, they
   may incorrectly bemoan their impending death from a brain tumor when
   it may really be only a minor issue.

   This is the same for EH testing.  If a packet is seen to be dropped
   in measurement, it may only be that there is a bug in the load
   balancer code (for example) and not that EH transmission does not
   work writ large.

   This document proposes a framework to isolate the problem of where
   the packet is being dropped.  This is, however, more easily said than
   done.  There are many components and devices in a network.  Each may
   require a different isolation technique.

   We propose a methdology which starts with the simplest topology and
   grows towards more and more complex, real-world networks.  For
   example, in today's networks, if one attempts to access a well-known
   site such as Facebook.com, one is likely to access a cache server
   managed by a Content Delivery Network (CDN) rather than the origin
   server managed by Facebook.  It is important to isolate the testing
   so that we can determine the exact component which may be blocking
   the EH and why.

   We additionally discuss the potential issues with the type of data
   sent as well as how the way the data is sent for testing may impact
   test results.

1.2.  Fundamental Premises

   Yet, there are some overriding principles.

   The blockage may be:

   *  in the source network

   *  in the destination network

   *  in a transit network

   Then:

   *  it may be blocked intentionally

   *  it may be blocked unintentionally



Elkins, et al.            Expires 24 April 2023                 [Page 3]

Internet-Draft              Deep Dive IPv6 EH               October 2022


   Intentional blocks are easier to assess.  The block is an
   administrator or network policy.  Of course, the policy may come
   about as a result of a misunderstanding of the function of EHs or
   lack of effective guidance but nonetheless, this is an understandable
   decision.

   The more troubling causes of EH blocks include:

   *  bugs

   *  default configurations or policies by the vendor

   *  lack of support of EH or IPv6 itself

   As far as the blocking component itself (whether intentional or
   unintentional):

   *  may be a router

   *  may be a firewall

   *  may be a load balancer

   *  may be a proxy

   *  may be a Host OS

   *  may be a DNS or other configuration setting

   Note: A DNS or other configuration setting may block IPv6 or prefer
   IPv4.  If not tested correctly, lack of support for IPv6 itself may
   incorrectly appear as lack of support for EHs.

   Finally, the blockage or source may differ based on the type of EH.
   Some EHs are limited to an administrative domain, some EHs are
   processed at every hop, still others are from the source and
   destination.  Problem isolation techniques will differ for the
   various classes of EH.

   Our final document in this series will be a BCP to indicate which EH
   should be allowed, blocked, encrypted, or authenticated and at which
   component or platform.









Elkins, et al.            Expires 24 April 2023                 [Page 4]

Internet-Draft              Deep Dive IPv6 EH               October 2022


   Note: [RFC9288] "Recommendations on the Filtering of IPv6 Packets
   Containing IPv6 Extension Headers at Transit Routers" focuses on the
   IPv6 EH handling at transit routers only.  Our approach is to produce
   a final BCP with various recommendations across network segments,
   once the nature of the problems and techniques for isolation are well
   known.

1.3.  Diagnostic Methodology Overview

   The diagnostic methodology to follow depends on what is being tested.
   For example, the problem isolation for a CDN would be different than
   the problem isolation for an internal network.

   This framework proposes the following set of documents:

   *  EH problem isolation for owned client / server

   *  EH problem isolation in a network using a CDN

   *  EH problem isolation in a network using a cloud provider

   *  EH problem isolation for routers

   *  EH problem isolation for load balancers

   *  EH problem isolation for proxies

   *  EH problem isolation for host OSs

   *  EH problem isolation for transit networks

   *  EH problem isolation for ISPs (multiple components / networks)

   *  BCP for EH Permissions, Encryption and Authentication

   Note that the server can be owned and operated by the administrator
   themselves (on-prem) Figure 1, or they could hosted behind a CDN
   Figure 2, or hosted by the cloud provider Figure 3.

                      +--------------------------+
                      |                          |
   +--------+         |                          |     +---------+
   | client |---------|          Internet        |-----| server  |
   +--------+         |                          |     +---------+
                      |                          |
                      +--------------------------+

                      Figure 1: Owned client / server



Elkins, et al.            Expires 24 April 2023                 [Page 5]

Internet-Draft              Deep Dive IPv6 EH               October 2022


                                                      +-----------------+
                   +--------------------------+     +-----------------+ |
                   |                          |     | CDN Network     | |
+--------+         |                          |     | +---------+     | |
| client |---------|        Internet          |-----| | Edge    |     | |
+--------+         |                          |     | | Server  |     | |
                   |                          |     | +---------+     | |
                   +--------------------------+     |                 | |
                                                    | (LB, Firewall   | |
                                                    |  Cache etc)     | |
                                                    |                 | |
                                                    |                 | |
                                                    |                 | |
                                                    |                 |-+
                                                    +-----------------+
                                                            |
                                                            | (*)
                                                            |
                                                       +---------+
                                                       | Origin  |
                                                       | server  |
                                                       +---------+

(*) - can be over the internet

                     Figure 2: Server behind CDN

                    +--------------------------+     +-----------------+
                    |                          |     |                 |
 +--------+         |                          |     |                 |
 | client |---------|          Internet        |-----| Cloud Network   |
 +--------+         |                          |     | (LB, Firewall,  |
                    |                          |     | Gateways etc)   |
                    +--------------------------+     |                 |
                                                     |                 |
                                                     |                 |
                                                     |   +---------+   |
                                                     |   | Virtual |   |
                                                     |   | server  |   |
                                                     |   +---------+   |
                                                     +-----------------+

                     Figure 3: Cloud-hosted server








Elkins, et al.            Expires 24 April 2023                 [Page 6]

Internet-Draft              Deep Dive IPv6 EH               October 2022


2.  EH Enabled Server / Client / Router

   The first step for all testing is to have a test server, client and /
   or router enabled to send EHs.  There are two basic options to do
   this, each with its own set of advantages and drawbacks.

   The options fall broadly into two categories:

   *  Modifications to the OS / interface / socket / driver to send EHs
      with application data

   *  Using a package which crafts EHs (multiple exist)

   If crafting packets, then the question arises of which packets to
   craft.  This will be discussed in Section 2.2.

   For either methodology, the rate of sending may influence results.
   This will be discussed in Section 3.

2.1.  Modifications to send EHs with application data

   Possibly the best way to isolate problems with EHs may be to have a
   server, client or router which has modifications to the OS,
   interface, driver or other to send real EHs with real application
   data.  This carries the initial cost of creating such modifications
   since, unfortunately, the current set of host OSs do not natively
   support this.

   The reason we find this to be the best method is because the problem
   of what packet to craft is a field which is rife with land mines.
   See Section 2.2 for a further discussion of the exact nature of the
   aforesaid land mines.

2.2.  Crafting packets with EH headers

   A number of packages exist which can craft a packet with an EH
   header.  The more interesting and fraught problem may be which exact
   packet to craft and then which EH to craft.

   Let's discuss first the options for the type of packet to craft.
   These include:

   *  A TCP packet

   *  A UDP packet

   *  An ICMPv6 packet




Elkins, et al.            Expires 24 April 2023                 [Page 7]

Internet-Draft              Deep Dive IPv6 EH               October 2022


   *  A QUIC packet

   If crafting a TCP packet, then it is likely that some middlebox will
   drop a TCP packet which does not have the appropriate ACK and
   SEQUENCE numbers.  One may get around this problem by sending a
   packet with the SYN flag on and directed to some well-known port such
   as 443 or 80.  But, if many firewalls and other devices such as IDS /
   IPS, and even some OSs have SYN Flood protection.  So, if more than a
   certain number of these packets, say 10, in some short interval are
   sent, then they are likely to be dropped for reasons other than
   blockage of EH headers.

   One may choose to use UDP, QUIC, or ICMPv6 to attempt to bypass the
   complexities of TCP.  Some enterprise networks are likely to drop UDP
   and / or QUIC.  Testing should be done without EH to make sure that
   such packets do indeed pass.

   Certainly, if you have access to all the middleboxes in your domain,
   you may be able to bypass or stop SYN Flood, UDP, ICMPv6 or other
   transport layer blocks at all the middleboxes.  But, it may be a more
   difficult effort than might be imagined.

   You may wish to test in a lab environment first to validate your
   approach.

2.3.  How to Add EH

   There are two ways to add an EH to a packet:

   *  use a "real" EH

   *  craft an EH

   The best method may be to use an EH which is actually processed at
   the client, server, and any associated router.  This leaves us with a
   sparse set to choose from.  The problem with crafting an EH is that
   if the data is not "real", one may not be able to fault a network
   component for blocking it.

   Having said that, let's discuss crafting an EH.  An EH may be crafted
   by simply using multiple PADN options.  One should be careful not to
   use too many PADNs because then this type of header may be dropped by
   a middlebox or OS as being a flawed packet.  This is likely to
   distort the results.

   An EH with all 0's or other data patterns that could be perceived as
   not "real" may also be dropped by middleboxes which are trying to be
   helpful.



Elkins, et al.            Expires 24 April 2023                 [Page 8]

Internet-Draft              Deep Dive IPv6 EH               October 2022


   It is also possible that the length of the EH may have some effect on
   what EHs get dropped and where.

   You may wish to try this in a lab environment first.  If the test
   suceeds, then you may test on your network.

2.4.  Which EH to Use

   Next, there is a consideration that the type of EH, for example,
   Destination Options, Hop-by-hop, etc. could get processed differently
   and may be dropped at different frequencies, by different devices.
   You may wish to test one at a time and note the results.

   You may wish to try this in a lab environment first.  If the test
   suceeds, then you may test on your network.

3.  Rate of sending and sampling

   Whether you have chosen to send real application data or to craft
   packets, the rate of sending and sampling may create a false
   indication of blockage.  That is, if you send a great deal of data at
   frequent intervals, some middlebox in the network is likely to see
   this traffic as a Denial of Service (DoS) attack and block it.  This
   is more likely if a great many crafted packets are sent but even with
   real application data such as FTP or HTTP, overly aggressive sending
   is likely to be counterproductive.

   You may wish to send only a few packets or one or two CURL or FTPs at
   any one test.

4.  Security Considerations

   This document has no security considerations.

5.  Privacy Considerations

   This document has no privacy considerations.

6.  IANA Considerations

   This document has no IANA actions.

7.  References

7.1.  Normative References






Elkins, et al.            Expires 24 April 2023                 [Page 9]

Internet-Draft              Deep Dive IPv6 EH               October 2022


   [RFC8200]  Deering, S. and R. Hinden, "Internet Protocol, Version 6
              (IPv6) Specification", STD 86, RFC 8200,
              DOI 10.17487/RFC8200, July 2017,
              <https://www.rfc-editor.org/rfc/rfc8200>.

7.2.  Informative References

   [RFC9288]  Gont, F. and W. Liu, "Recommendations on the Filtering of
              IPv6 Packets Containing IPv6 Extension Headers at Transit
              Routers", RFC 9288, DOI 10.17487/RFC9288, August 2022,
              <https://www.rfc-editor.org/rfc/rfc9288>.

Acknowledgments

   TODO acknowledge.

Contributors

   TODO contributors.

Authors' Addresses

   Nalini Elkins
   Industry Network Technology Council
   United States of America
   Phone: +1 831 234 4232
   Email: nalini.elkins@insidethestack.com


   Michael Ackermann
   Industry Network Technology Council
   United States of America
   Phone: +1 248 703 3600
   Email: mackermann@bcbsm.com
   URI:   https://www.bcbsm.com


   Dhruv Dhody
   India Internet Engineering Society
   India
   Email: dhruv.ietf@gmail.com










Elkins, et al.            Expires 24 April 2023                [Page 10]