Large (UDP) Packets in IPv6 - RIPE 72 · PDF fileBewteen 1280 and 1500 What should an IPv6...
Transcript of Large (UDP) Packets in IPv6 - RIPE 72 · PDF fileBewteen 1280 and 1500 What should an IPv6...
![Page 1: Large (UDP) Packets in IPv6 - RIPE 72 · PDF fileBewteen 1280 and 1500 What should an IPv6 host use as a local MTU value? • If you set it at 1280 then you invite fragmentation if](https://reader031.fdocuments.us/reader031/viewer/2022030417/5aa36cc07f8b9aa0108e90b8/html5/thumbnails/1.jpg)
Large (UDP) Packets in IPv6
Geoff HustonAPNIC
![Page 2: Large (UDP) Packets in IPv6 - RIPE 72 · PDF fileBewteen 1280 and 1500 What should an IPv6 host use as a local MTU value? • If you set it at 1280 then you invite fragmentation if](https://reader031.fdocuments.us/reader031/viewer/2022030417/5aa36cc07f8b9aa0108e90b8/html5/thumbnails/2.jpg)
What’s the problem?
![Page 3: Large (UDP) Packets in IPv6 - RIPE 72 · PDF fileBewteen 1280 and 1500 What should an IPv6 host use as a local MTU value? • If you set it at 1280 then you invite fragmentation if](https://reader031.fdocuments.us/reader031/viewer/2022030417/5aa36cc07f8b9aa0108e90b8/html5/thumbnails/3.jpg)
What’s the problem?
![Page 4: Large (UDP) Packets in IPv6 - RIPE 72 · PDF fileBewteen 1280 and 1500 What should an IPv6 host use as a local MTU value? • If you set it at 1280 then you invite fragmentation if](https://reader031.fdocuments.us/reader031/viewer/2022030417/5aa36cc07f8b9aa0108e90b8/html5/thumbnails/4.jpg)
So what?
![Page 5: Large (UDP) Packets in IPv6 - RIPE 72 · PDF fileBewteen 1280 and 1500 What should an IPv6 host use as a local MTU value? • If you set it at 1280 then you invite fragmentation if](https://reader031.fdocuments.us/reader031/viewer/2022030417/5aa36cc07f8b9aa0108e90b8/html5/thumbnails/5.jpg)
Packet Networks like variable packet sizes
• Therangeofpacketsizessupportedinanetworkrepresentsasetofengineeringtrade-offs:• Biterrorrateoftheunderlyingmedia• Desiredcarriageefficiency• Transmissionspeedvspacketswitchingspeed
![Page 6: Large (UDP) Packets in IPv6 - RIPE 72 · PDF fileBewteen 1280 and 1500 What should an IPv6 host use as a local MTU value? • If you set it at 1280 then you invite fragmentation if](https://reader031.fdocuments.us/reader031/viewer/2022030417/5aa36cc07f8b9aa0108e90b8/html5/thumbnails/6.jpg)
IPv4 Packet Design
FORWARD fragmentation• Ifaroutercannotforwardapacketonitsnexthopduetoapacketsizemismatchthenitispermittedtofragmentthepacket,preservingtheoriginalIPheaderineachofthefragments
![Page 7: Large (UDP) Packets in IPv6 - RIPE 72 · PDF fileBewteen 1280 and 1500 What should an IPv6 host use as a local MTU value? • If you set it at 1280 then you invite fragmentation if](https://reader031.fdocuments.us/reader031/viewer/2022030417/5aa36cc07f8b9aa0108e90b8/html5/thumbnails/7.jpg)
IPv4 and the “Don’t Fragment” bit
IfFragmentationisnotpermittedbythesource,thentherouterdiscardsthepacket.TheroutermaysendanICMPtothepacketsourcewithanUnreacahble code(Type3,Code4)
LaterIPv4implementationsaddedaMTUsizetothisICMPmessage
BUT:ICMPmessagesareextensivelyfilteredintheInternetsoapplicationsshouldnotcountonreceivingthesemessages!
![Page 8: Large (UDP) Packets in IPv6 - RIPE 72 · PDF fileBewteen 1280 and 1500 What should an IPv6 host use as a local MTU value? • If you set it at 1280 then you invite fragmentation if](https://reader031.fdocuments.us/reader031/viewer/2022030417/5aa36cc07f8b9aa0108e90b8/html5/thumbnails/8.jpg)
Trouble at the Packet Mill
• Lostfragsrequirearesendoftheentirepacket–thisisfarlessefficientthanrepairingalostpacket• Fragmentsrepresentasecurityvulnerabilityastheyareeasilyspoofed• Fragmentsrepresentaproblemtofirewalls–withoutthetransportheadersitisunclearwhetherfragsshouldbeadmittedordenied• Packetreassemblyconsumesresourcesatthedestination
![Page 9: Large (UDP) Packets in IPv6 - RIPE 72 · PDF fileBewteen 1280 and 1500 What should an IPv6 host use as a local MTU value? • If you set it at 1280 then you invite fragmentation if](https://reader031.fdocuments.us/reader031/viewer/2022030417/5aa36cc07f8b9aa0108e90b8/html5/thumbnails/9.jpg)
The thinking at the time…
FragmentationwasaBadIdea!
Kent,C.andJ.Mogul,"FragmentationConsideredHarmful",Proc.SIGCOMM'87WorkshoponFrontiersinComputerCommunicationsTechnology,August1987
![Page 10: Large (UDP) Packets in IPv6 - RIPE 72 · PDF fileBewteen 1280 and 1500 What should an IPv6 host use as a local MTU value? • If you set it at 1280 then you invite fragmentation if](https://reader031.fdocuments.us/reader031/viewer/2022030417/5aa36cc07f8b9aa0108e90b8/html5/thumbnails/10.jpg)
IPv6 Packet Design
• AttempttorepairtheproblembyeffectivelyjammingtheDON’TFRAGMENTbittoalwaysON• IPv6usesBACKWARDsignalling• WhenapacketistoobigforthenexthoparoutershouldsendanICMP6TYPE2(PacketTooBig)messagetothesourceaddressandincludetheMTUofthenexthop.
![Page 11: Large (UDP) Packets in IPv6 - RIPE 72 · PDF fileBewteen 1280 and 1500 What should an IPv6 host use as a local MTU value? • If you set it at 1280 then you invite fragmentation if](https://reader031.fdocuments.us/reader031/viewer/2022030417/5aa36cc07f8b9aa0108e90b8/html5/thumbnails/11.jpg)
IPv6 Source Fragmentation
![Page 12: Large (UDP) Packets in IPv6 - RIPE 72 · PDF fileBewteen 1280 and 1500 What should an IPv6 host use as a local MTU value? • If you set it at 1280 then you invite fragmentation if](https://reader031.fdocuments.us/reader031/viewer/2022030417/5aa36cc07f8b9aa0108e90b8/html5/thumbnails/12.jpg)
What changed? What’s the same?
• Bothprotocolsmayfragmentapacketatthesource• BothprotocolssupportaPacketTooBigsignalfromtheinteriorofthenetworktothesource• OnlyIPv4routersmaygeneratefragmentson-the-fly• IPv6reliesonsupportforExtensionHeaderstosupportitsimplementationofIPpacketfragmentation• Butthathasitsownsetofimplications(Seeslide3)!
![Page 13: Large (UDP) Packets in IPv6 - RIPE 72 · PDF fileBewteen 1280 and 1500 What should an IPv6 host use as a local MTU value? • If you set it at 1280 then you invite fragmentation if](https://reader031.fdocuments.us/reader031/viewer/2022030417/5aa36cc07f8b9aa0108e90b8/html5/thumbnails/13.jpg)
What does “Packet Too Big” mean anyway?
errrrr
![Page 14: Large (UDP) Packets in IPv6 - RIPE 72 · PDF fileBewteen 1280 and 1500 What should an IPv6 host use as a local MTU value? • If you set it at 1280 then you invite fragmentation if](https://reader031.fdocuments.us/reader031/viewer/2022030417/5aa36cc07f8b9aa0108e90b8/html5/thumbnails/14.jpg)
It’s a Layering Problem
• FragmentationwasseenasanIPlevelproblem• Itwasmeanttobeagnosticwithrespecttotheupperlevel(transport)protocol
• Butwedon’ttreatitlikethat• Andweexpectdifferenttransportprotocolstoreacttofragmentationnotificationindifferentways
![Page 15: Large (UDP) Packets in IPv6 - RIPE 72 · PDF fileBewteen 1280 and 1500 What should an IPv6 host use as a local MTU value? • If you set it at 1280 then you invite fragmentation if](https://reader031.fdocuments.us/reader031/viewer/2022030417/5aa36cc07f8b9aa0108e90b8/html5/thumbnails/15.jpg)
What does “Packet Too Big” mean anyway?
ForTCP itmeansthattheactivesessionreferredtointheICMPpayload*shoulddropitssessionMSStomatchtheMTU**
InanidealnetworkyoushouldneverseeIPv6fragmentsinTCP!
*assumingthatthepayloadcontainstheoriginalend-to-endIPheader**assumingthattheICMP isgenuine
![Page 16: Large (UDP) Packets in IPv6 - RIPE 72 · PDF fileBewteen 1280 and 1500 What should an IPv6 host use as a local MTU value? • If you set it at 1280 then you invite fragmentation if](https://reader031.fdocuments.us/reader031/viewer/2022030417/5aa36cc07f8b9aa0108e90b8/html5/thumbnails/16.jpg)
What does “Packet Too Big” mean anyway?
ForUDP itsnotclear:• Theoffendingpackethasgoneaway!• SomeIPimplementationsappeartoignoreit• OthersaddahostentrytothelocalIPForwardingtablethatrecordstheMTU• OthersperformarudimentaryformofMTUreductioninalocalMTUcache
![Page 17: Large (UDP) Packets in IPv6 - RIPE 72 · PDF fileBewteen 1280 and 1500 What should an IPv6 host use as a local MTU value? • If you set it at 1280 then you invite fragmentation if](https://reader031.fdocuments.us/reader031/viewer/2022030417/5aa36cc07f8b9aa0108e90b8/html5/thumbnails/17.jpg)
Problems
ICMPisreadilyspoofed• ICMPmessagescanconsumehostresources• AnattackermayspoofahighvolumestreamofICMPPTBmessageswithrandomIPv6sourceaddresses• AnattackermayspoofICMPPTBmessageswithverylowMTUvalues
![Page 18: Large (UDP) Packets in IPv6 - RIPE 72 · PDF fileBewteen 1280 and 1500 What should an IPv6 host use as a local MTU value? • If you set it at 1280 then you invite fragmentation if](https://reader031.fdocuments.us/reader031/viewer/2022030417/5aa36cc07f8b9aa0108e90b8/html5/thumbnails/18.jpg)
Problems
ICMPiswidelyfiltered• leadingtoblackholesinTCPsessions
• GETisasmallHTTPpacket• Theresponsecanbearbitrarilylarge,andifthereisapathMTUmismatchtheresponsecanwedge
Get Response
![Page 19: Large (UDP) Packets in IPv6 - RIPE 72 · PDF fileBewteen 1280 and 1500 What should an IPv6 host use as a local MTU value? • If you set it at 1280 then you invite fragmentation if](https://reader031.fdocuments.us/reader031/viewer/2022030417/5aa36cc07f8b9aa0108e90b8/html5/thumbnails/19.jpg)
Problems
LeadingtoambiguityinUDP• Isthislackofaresponseduetonetworkcongestion,routing&addressingissues,orMTUmismatch?• Shouldthereceiverjustgiveup,resendthetriggerquery,orreverttoTCP?(assumingthatitcan)
![Page 20: Large (UDP) Packets in IPv6 - RIPE 72 · PDF fileBewteen 1280 and 1500 What should an IPv6 host use as a local MTU value? • If you set it at 1280 then you invite fragmentation if](https://reader031.fdocuments.us/reader031/viewer/2022030417/5aa36cc07f8b9aa0108e90b8/html5/thumbnails/20.jpg)
What did IPv6 do differently?
IPv6definedaminimumunfragmented packetsizeof1,280bytes:
IPv6 Specification: RFC2460
![Page 21: Large (UDP) Packets in IPv6 - RIPE 72 · PDF fileBewteen 1280 and 1500 What should an IPv6 host use as a local MTU value? • If you set it at 1280 then you invite fragmentation if](https://reader031.fdocuments.us/reader031/viewer/2022030417/5aa36cc07f8b9aa0108e90b8/html5/thumbnails/21.jpg)
What did IPv6 do differently?
IPv6definedaminimumunfragmented packetsizeof1,280bytes:
IPv6 Specification: RFC2460
![Page 22: Large (UDP) Packets in IPv6 - RIPE 72 · PDF fileBewteen 1280 and 1500 What should an IPv6 host use as a local MTU value? • If you set it at 1280 then you invite fragmentation if](https://reader031.fdocuments.us/reader031/viewer/2022030417/5aa36cc07f8b9aa0108e90b8/html5/thumbnails/22.jpg)
Bewteen 1280 and 1500
WhatshouldanIPv6hostuseasalocalMTUvalue?
• Ifyousetitat1280thenyouinvitefragmentationifyouneedtosendlargerpackets,whichwillriskEHlossonfragmentedpackets• Ifyousetitat1500thenyoumayencounterriskswithMTUmismatchandPTBnotificationlosswhentalkingwithahostwithasmallerMTUandencounterMTUBlackHoles
1280 1500
![Page 23: Large (UDP) Packets in IPv6 - RIPE 72 · PDF fileBewteen 1280 and 1500 What should an IPv6 host use as a local MTU value? • If you set it at 1280 then you invite fragmentation if](https://reader031.fdocuments.us/reader031/viewer/2022030417/5aa36cc07f8b9aa0108e90b8/html5/thumbnails/23.jpg)
Lets look
• SoiftheissueisthecombinationofIPv6,UDPandlargerpacketsthenperhapswecanexperimentwiththis• It’scalled“theDNS”!
• Sowesetupanexperiment…• Response1:131octets• Response2:1400octets• Response3:1700octets
AndsetupanameserverreachableonlyonIPv6andonlyonUDP
![Page 24: Large (UDP) Packets in IPv6 - RIPE 72 · PDF fileBewteen 1280 and 1500 What should an IPv6 host use as a local MTU value? • If you set it at 1280 then you invite fragmentation if](https://reader031.fdocuments.us/reader031/viewer/2022030417/5aa36cc07f8b9aa0108e90b8/html5/thumbnails/24.jpg)
What we expect to see
SizeFetchedFailedReason
Small(150octets) 99% 1% Noise1160octets 99% 1% Noise1400octets ? ? PTB1700octets <52% >48% EHLoss,
Fragloss,PTB
![Page 25: Large (UDP) Packets in IPv6 - RIPE 72 · PDF fileBewteen 1280 and 1500 What should an IPv6 host use as a local MTU value? • If you set it at 1280 then you invite fragmentation if](https://reader031.fdocuments.us/reader031/viewer/2022030417/5aa36cc07f8b9aa0108e90b8/html5/thumbnails/25.jpg)
What we saw
Tested AlwaysFetched Both AlwaysMissed
150 11,719 8,792(75.02%) 377(3.22%) 2,550(21.76%)
1,160 2,004 1,353(67.51%) 5(0.25%) 646(32.24%)
1,400 9,789 7,374(75.33%) 385(3.93%) 2,030(20.74%)
1,425 1,977 1,313(66.41%) 7(0.35%) 657(33.23%)
1,453 1,987 1,298(65.32%) 9(0.45%) 680(34.22%)
1,70011,170 5,859(52.45%) 172(1.54%) 5,139(46.01%)
1280
1500
![Page 26: Large (UDP) Packets in IPv6 - RIPE 72 · PDF fileBewteen 1280 and 1500 What should an IPv6 host use as a local MTU value? • If you set it at 1280 then you invite fragmentation if](https://reader031.fdocuments.us/reader031/viewer/2022030417/5aa36cc07f8b9aa0108e90b8/html5/thumbnails/26.jpg)
What we saw
Tested AlwaysFetched Both AlwaysMissed
150 11,719 8,792(75.02%) 377(3.22%) 2,550(21.76%)
1,160 2,004 1,353(67.51%) 5(0.25%) 646(32.24%)
1,400 9,789 7,374(75.33%) 385(3.93%) 2,030(20.74%)
1,425 1,977 1,313(66.41%) 7(0.35%) 657(33.23%)
1,453 1,987 1,298(65.32%) 9(0.45%) 680(34.22%)
1,70011,170 5,859(52.45%) 172(1.54%) 5,139(46.01%)
??
1280
1500
Thereisquitesomenoiseinthisdata– thesmall-sizeresponseshowsa21%lossrate,whichislikelytobeduetoacombinationof:
DNSmulti-slavequeryengine farmsIPv6LinkLayeraddressmanipulationICMPv6AddressunreachableDNStimeouts
![Page 27: Large (UDP) Packets in IPv6 - RIPE 72 · PDF fileBewteen 1280 and 1500 What should an IPv6 host use as a local MTU value? • If you set it at 1280 then you invite fragmentation if](https://reader031.fdocuments.us/reader031/viewer/2022030417/5aa36cc07f8b9aa0108e90b8/html5/thumbnails/27.jpg)
Unreachables
• DualStackconfigurationshideamultitudeofsins• AndoneoftheseistheuseofunreachableIPv6addressesforDNSresolvers• 11,077distinctunreachableIPv6addresses!• Outof22,000distinctIPv6/128addresses
• Whichisnotquiteasbadasitlooks– anumberofresolversare“aggressive”intheiruseof/64interfaceidentifiers
![Page 28: Large (UDP) Packets in IPv6 - RIPE 72 · PDF fileBewteen 1280 and 1500 What should an IPv6 host use as a local MTU value? • If you set it at 1280 then you invite fragmentation if](https://reader031.fdocuments.us/reader031/viewer/2022030417/5aa36cc07f8b9aa0108e90b8/html5/thumbnails/28.jpg)
Filtering the results
• Joinindividualresolver/128addressesintocommon/64’s• Onlylookatresolver/64’sthatfetcheitherofthetwolow-sizecontrols• WhichmeansthattheIPv6addressisreachable• Andtheresolverwillsuccessfullyresolveagluelessdelegation
![Page 29: Large (UDP) Packets in IPv6 - RIPE 72 · PDF fileBewteen 1280 and 1500 What should an IPv6 host use as a local MTU value? • If you set it at 1280 then you invite fragmentation if](https://reader031.fdocuments.us/reader031/viewer/2022030417/5aa36cc07f8b9aa0108e90b8/html5/thumbnails/29.jpg)
What we saw:Size Tested AlwaysFetched Both AlwaysMissed
1505,4335,290(97%)143(3%)0
1,160654651(99%)3(1%)0
14004,6584,495(96%)133(3%)30(1%)
1425636619(97%) 5(1%) 12(2%)
1453638609(95%) 6(1%) 23(4%)
17004,6863,464(74%)79(1%)1,143(25%)
1280
1500
![Page 30: Large (UDP) Packets in IPv6 - RIPE 72 · PDF fileBewteen 1280 and 1500 What should an IPv6 host use as a local MTU value? • If you set it at 1280 then you invite fragmentation if](https://reader031.fdocuments.us/reader031/viewer/2022030417/5aa36cc07f8b9aa0108e90b8/html5/thumbnails/30.jpg)
What we saw:Size Tested AlwaysFetched Both AlwaysMissed
1505,4335,290(97%)143(3%)0
1,160654651(99%)3(1%)0
14004,6584,495(96%)133(3%)30(1%)
1425636619(97%) 5(1%) 12(2%)
1453638609(95%) 6(1%) 23(4%)
17004,6863,464(74%)79(1%)1,143(25%)
1280
1500
Between 1280 and 1500 the failure rate rises as the packet size rises.
![Page 31: Large (UDP) Packets in IPv6 - RIPE 72 · PDF fileBewteen 1280 and 1500 What should an IPv6 host use as a local MTU value? • If you set it at 1280 then you invite fragmentation if](https://reader031.fdocuments.us/reader031/viewer/2022030417/5aa36cc07f8b9aa0108e90b8/html5/thumbnails/31.jpg)
PTB MTU size distribution
1280
1500
1480
1460 1492
![Page 32: Large (UDP) Packets in IPv6 - RIPE 72 · PDF fileBewteen 1280 and 1500 What should an IPv6 host use as a local MTU value? • If you set it at 1280 then you invite fragmentation if](https://reader031.fdocuments.us/reader031/viewer/2022030417/5aa36cc07f8b9aa0108e90b8/html5/thumbnails/32.jpg)
What we saw:Size Tested AlwaysFetched Both AlwaysMissed
1505,4335,290(97%)143(3%)0
1,160654651(99%)3(1%)0
14004,6584,495(96%)133(3%)30(1%)
1425636619(97%) 5(1%) 12(2%)
1453638609(95%) 6(1%) 23(4%)
17004,6863,464(74%)79(1%)1,143(25%)
1280
1500
There is a visible signal here for packets > 1500 octets.
It is not a 48% drop rate, but it is certainly more than 20% over and above the other packet sizes. There is a definite problem here with large IPv6 packets.
![Page 33: Large (UDP) Packets in IPv6 - RIPE 72 · PDF fileBewteen 1280 and 1500 What should an IPv6 host use as a local MTU value? • If you set it at 1280 then you invite fragmentation if](https://reader031.fdocuments.us/reader031/viewer/2022030417/5aa36cc07f8b9aa0108e90b8/html5/thumbnails/33.jpg)
EH drop? Or something more mundane?
1,143 IPv6/64sconsistentlycannotfetcha1,700octetUDPresponse• 331/64’s generatedICMPFragmentationreassemblyICMPmessages• Firewallfrontenddiscardingtrailingfragments
• 61 /64’sgeneratedPacketTooBigmessages
• 751 failing/64’sgeneratednoICMPmessagesi.e.EHpacketdropwasamaximumof16%inthisexperiment
![Page 34: Large (UDP) Packets in IPv6 - RIPE 72 · PDF fileBewteen 1280 and 1500 What should an IPv6 host use as a local MTU value? • If you set it at 1280 then you invite fragmentation if](https://reader031.fdocuments.us/reader031/viewer/2022030417/5aa36cc07f8b9aa0108e90b8/html5/thumbnails/34.jpg)
What we saw with a 1280 MTU:
Size Tested AlwaysFetched Both AlwaysMissed
1504,7774,600(96%)177(4%)0
14004,6623,695(79%)80(2%)887(19%)
17004,6353,429(74%)95(2%)1,111(24%)
1280
1500
Dropping the local MTU pushes a further 18% fragmentation drop into the 1,400 Byte packet
![Page 35: Large (UDP) Packets in IPv6 - RIPE 72 · PDF fileBewteen 1280 and 1500 What should an IPv6 host use as a local MTU value? • If you set it at 1280 then you invite fragmentation if](https://reader031.fdocuments.us/reader031/viewer/2022030417/5aa36cc07f8b9aa0108e90b8/html5/thumbnails/35.jpg)
What are we seeing?
WhetheritsEHdropoffragfiltering,thereissomethingdeeplyconcerninginthesenumbers:• Aprotocolthatsuffersa~20%packetdroprateonfragmentedpacketspresentsaproblem!• HostsshouldusethelargestlocallysupportedMTUforUDP(andusea1,220MSSforTCP)• ApplicationsshouldassumethatlargeIPv6fragmentedpacketsmaysilentlydieintransit.TheyshouldbepreparedtoperformarapidcutovertoTCPintheeventofsuspectedpacketlossinUDP
• Shouldwerevivedraft-bonica-6man-frag-deprecate?
![Page 36: Large (UDP) Packets in IPv6 - RIPE 72 · PDF fileBewteen 1280 and 1500 What should an IPv6 host use as a local MTU value? • If you set it at 1280 then you invite fragmentation if](https://reader031.fdocuments.us/reader031/viewer/2022030417/5aa36cc07f8b9aa0108e90b8/html5/thumbnails/36.jpg)
Thanks!