| draft-ietf-v6ops-pmtud-ecmp-problem-05.txt | draft-ietf-v6ops-pmtud-ecmp-problem-06.txt | |||
|---|---|---|---|---|
| v6ops M. Byerly | v6ops M. Byerly | |||
| Internet-Draft Fastly | Internet-Draft Fastly | |||
| Intended status: Informational M. Hite | Intended status: Informational M. Hite | |||
| Expires: April 20, 2016 Evernote | Expires: April 20, 2016 Evernote | |||
| J. Jaeggli | J. Jaeggli | |||
| Fastly | Fastly | |||
| October 18, 2015 | October 18, 2015 | |||
| Close encounters of the ICMP type 2 kind (near misses with ICMPv6 PTB) | Close encounters of the ICMP type 2 kind (near misses with ICMPv6 PTB) | |||
| draft-ietf-v6ops-pmtud-ecmp-problem-05 | draft-ietf-v6ops-pmtud-ecmp-problem-06 | |||
| Abstract | Abstract | |||
| This document calls attention to the problem of delivering ICMPv6 | This document calls attention to the problem of delivering ICMPv6 | |||
| type 2 "Packet Too Big" (PTB) messages to the intended destination | type 2 "Packet Too Big" (PTB) messages to the intended destination | |||
| (typically the server) in ECMP load balanced or anycast network | (typically the server) in ECMP load balanced or anycast network | |||
| architectures. It discusses operational mitigations that can be | architectures. It discusses operational mitigations that can be | |||
| employed to address this class of failures. | employed to address this class of failures. | |||
| Status of This Memo | Status of This Memo | |||
| skipping to change at page 2, line 34 | skipping to change at page 2, line 34 | |||
| Operators of popular Internet services face complex challenges | Operators of popular Internet services face complex challenges | |||
| associated with scaling their infrastructure. One scaling approach | associated with scaling their infrastructure. One scaling approach | |||
| is to utilize equal-cost multi-path (ECMP) routing to perform | is to utilize equal-cost multi-path (ECMP) routing to perform | |||
| stateless distribution of incoming TCP or UDP sessions to multiple | stateless distribution of incoming TCP or UDP sessions to multiple | |||
| servers or to middle boxes such as load balancers. Distribution of | servers or to middle boxes such as load balancers. Distribution of | |||
| traffic in this manner presents a problem when dealing with ICMP | traffic in this manner presents a problem when dealing with ICMP | |||
| signaling. Specifically, an ICMP error is not guaranteed to hash via | signaling. Specifically, an ICMP error is not guaranteed to hash via | |||
| ECMP to the same destination as its corresponding TCP or UDP session. | ECMP to the same destination as its corresponding TCP or UDP session. | |||
| A case where this is particularly problematic operationally is path | A case where this is particularly problematic operationally is path | |||
| MTU discovery RFC 1981 PMTUD [RFC1981]. | MTU discovery [RFC1981]. | |||
| 2. Problem | 2. Problem | |||
| A common application for stateless load balancing of TCP or UDP flows | A common application for stateless load balancing of TCP or UDP flows | |||
| is to perform an initial subdivision of flows in front of a stateful | is to perform an initial subdivision of flows in front of a stateful | |||
| load balancer tier or multiple servers so that the workload becomes | load balancer tier or multiple servers so that the workload becomes | |||
| divided into manageable fractions of the total number of flows. The | divided into manageable fractions of the total number of flows. The | |||
| flow division is performed using ECMP forwarding and a stateless but | flow division is performed using ECMP forwarding and a stateless but | |||
| sticky algorithm for hashing across the available paths (see RFC 2991 | sticky algorithm for hashing across the available paths (see | |||
| [RFC2991] for background on ECMP routing). This nexthop selection | [RFC2991] for background on ECMP routing). This nexthop selection | |||
| for the purposes of flow distribution is a constrained form of | for the purposes of flow distribution is a constrained form of | |||
| anycast topology, where all anycast destinations are equidistant from | anycast topology, where all anycast destinations are equidistant from | |||
| the upstream router responsible for making the last next-hop | the upstream router responsible for making the last next-hop | |||
| forwarding decision before the flow arrives on the destination | forwarding decision before the flow arrives on the destination | |||
| device. In this approach, the hash is performed across some set of | device. In this approach, the hash is performed across some set of | |||
| available protocol headers. Typically, these headers may include all | available protocol headers. Typically, these headers may include all | |||
| or a subset of (IPv6) Flow-Label, IP-source, IP-destination, | or a subset of (IPv6) Flow-Label, IP-source, IP-destination, | |||
| protocol, source-port, destination-port and potentially others such | protocol, source-port, destination-port and potentially others such | |||
| as ingress interface. | as ingress interface. | |||
| skipping to change at page 8, line 5 | skipping to change at page 8, line 5 | |||
| 6. IANA Considerations | 6. IANA Considerations | |||
| This memo includes no request to IANA. | This memo includes no request to IANA. | |||
| 7. Security Considerations | 7. Security Considerations | |||
| The employed mitigation has the potential to greatly amplify the | The employed mitigation has the potential to greatly amplify the | |||
| impact of a deliberately malicious sending of ICMPv6 PTB messages. | impact of a deliberately malicious sending of ICMPv6 PTB messages. | |||
| Sensible ingress rate limiting can reduce the potential for impact; | Sensible ingress rate limiting can reduce the potential for impact; | |||
| however, legitimate PMTUD messages may be lost once the rate limit is | however, legitimate PMTUD messages may be lost once the rate limit is | |||
| reached; analogous to other cases where DOS traffic can crowd out | reached; the scenario is analogous to other cases where DOS traffic | |||
| legitimate traffic. | can crowd out legitimate traffic, however with a limited subset of | |||
| overall traffic. | ||||
| The proxy replication results in devices on the subnet not associated | The proxy replication results in devices on the subnet not associated | |||
| with the flow that generated the PTB, being recipients of the ICMPv6 | with the flow that generated the PTB, being recipients of the ICMPv6 | |||
| PTB message; which contains a large fragment of the packet that | PTB message; which contains a large fragment of the packet that | |||
| exceeded the allowable MTU. This replication of the packet freagment | exceeded the allowable MTU. This replication of the packet fragment | |||
| could arguably result in information disclosure. Recipient machines | could arguably result in information disclosure. Recipient machines | |||
| should be in a common administrative domain. | should be in a common administrative domain. | |||
| 8. Informative References | 8. Informative References | |||
| [RFC1981] McCann, J., Deering, S., and J. Mogul, "Path MTU Discovery | [RFC1981] McCann, J., Deering, S., and J. Mogul, "Path MTU Discovery | |||
| for IP version 6", RFC 1981, DOI 10.17487/RFC1981, August | for IP version 6", RFC 1981, DOI 10.17487/RFC1981, August | |||
| 1996, <http://www.rfc-editor.org/info/rfc1981>. | 1996, <http://www.rfc-editor.org/info/rfc1981>. | |||
| [RFC2991] Thaler, D. and C. Hopps, "Multipath Issues in Unicast and | [RFC2991] Thaler, D. and C. Hopps, "Multipath Issues in Unicast and | |||
| End of changes. 5 change blocks. | ||||
| 6 lines changed or deleted | 7 lines changed or added | |||
This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||