Re: [bess] Erik Kline's Discuss on draft-ietf-bess-srv6-services-11: (with DISCUSS)
Tony Przygienda <tonysietf@gmail.com> Thu, 17 February 2022 10:10 UTC
Return-Path: <tonysietf@gmail.com>
X-Original-To: bess@ietfa.amsl.com
Delivered-To: bess@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D66293A0837; Thu, 17 Feb 2022 02:10:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cgHLqDXD2YWZ; Thu, 17 Feb 2022 02:10:33 -0800 (PST)
Received: from mail-yw1-x112e.google.com (mail-yw1-x112e.google.com [IPv6:2607:f8b0:4864:20::112e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B9F43A0831; Thu, 17 Feb 2022 02:10:33 -0800 (PST)
Received: by mail-yw1-x112e.google.com with SMTP id 00721157ae682-2d07ae0b1c4so26157937b3.11; Thu, 17 Feb 2022 02:10:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=MZ18doHqIsi5+Aq+joUqsc9KylwCEpciJeSAqyZs9rE=; b=D+h4J5lNteONwDNBuZG3jIlK9Q/WXNw6JV2QYdPTdpaDjDYmpzzMy4Z33KRJqpKAd7 17LUz+zYu/PUlvYQvj3tJkICeySvA4p+iAd18v9Ru6XK0ireRfPPGEhCEe2weksbL0Tv ln34dYvoKwQSEdG6+DyYHfrUTR8yBnHJEO1D5tuAvVaPqvN/ByN2wkcvA52QWSmrrVQq EQmFFK6HC81CYKfKp/KixAF4JedS+xUnS+50klHnXFduGQZNCrCWIXY0Dw9MUPDlP/u8 l6q3F0op0J9szrMIxJFrjRaPmW/5zUeTFbGcRyto4jbbG0q3sSBcjkACuQwI3FizjkN5 Fr/g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=MZ18doHqIsi5+Aq+joUqsc9KylwCEpciJeSAqyZs9rE=; b=lYtKXkLmSWGWTlR2Z5NaCStYqCK5mXpyU9iStzXUjBjfM6n/VOX9Pj/QgXCtKNq5mh d6vDFEWwuu7BXIxZEFrr9P7roJ0PFemWlzwvWh7UdjUsVjg8Ds2Q2djXl4XlF4s67g/N 7CpsEp9EU+Y8oI3i2aHCLICtOu5yVAFyvkVIPwm80iHbuQgAActL5yzVHgbrGENvoZbU WY2cIw5fI7z/zb0PEYCyo7rSPMjNyrbZcR7j8ZNCLiIaV0NkJ++LEhCmO1pUnF4lhZQ+ JrGK6jIpmiA2VVU3o3I8KSgS/dYERqBgI5mWhTmGNs5cNnUYdpo1cYqLVBn/hyjJiF3q E3ig==
X-Gm-Message-State: AOAM531MGbPiuEXImosWaYUnUEWeIzZ9L2wSDGql4XseXRZskOt4C1db gcQ6dvL8rpRm1YYAqsrE5jLucA66U3u9GkjzpKE=
X-Google-Smtp-Source: ABdhPJw6EiWCPl4l3/cRi2cOyQM7FlQzXA++Srzz60b15PWSN/gRiZWqaWUOUcKjLESy1NCrQR9332NGOzSBjQufNRQ=
X-Received: by 2002:a0d:d5c8:0:b0:2d5:e0a:56c0 with SMTP id x191-20020a0dd5c8000000b002d50e0a56c0mr1866932ywd.10.1645092631863; Thu, 17 Feb 2022 02:10:31 -0800 (PST)
MIME-Version: 1.0
References: <164507779493.12793.548337102165449445@ietfa.amsl.com> <CAH6gdPyK=BjqwdkK8-GF6HOr6ubC7CocED5bTFBDPOB4zV-JRA@mail.gmail.com>
In-Reply-To: <CAH6gdPyK=BjqwdkK8-GF6HOr6ubC7CocED5bTFBDPOB4zV-JRA@mail.gmail.com>
From: Tony Przygienda <tonysietf@gmail.com>
Date: Thu, 17 Feb 2022 11:09:55 +0100
Message-ID: <CA+wi2hNcAsoJOrPmHavbPEeGsNY6TKx7OFSq7B8jWdSXnXQWPA@mail.gmail.com>
To: Ketan Talaulikar <ketant.ietf@gmail.com>
Cc: Erik Kline <ek.ietf@gmail.com>, "Bocci, Matthew (Nokia - GB)" <matthew.bocci@nokia.com>, draft-ietf-bess-srv6-services@ietf.org, bess-chairs@ietf.org, The IESG <iesg@ietf.org>, BESS <bess@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f1f19605d833f963"
Archived-At: <https://mailarchive.ietf.org/arch/msg/bess/lxHRgmQgqdndh8kfeeDMpIOfbHE>
Subject: Re: [bess] Erik Kline's Discuss on draft-ietf-bess-srv6-services-11: (with DISCUSS)
X-BeenThere: bess@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: BGP-Enabled ServiceS working group discussion list <bess.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bess>, <mailto:bess-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bess/>
List-Post: <mailto:bess@ietf.org>
List-Help: <mailto:bess-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bess>, <mailto:bess-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Feb 2022 10:10:36 -0000
> >> But I'm prepared to learn why this wouldn't work or would be somehow >> worse. >> > > KT> It isn't necessary nor required because SRv6 locators are just IPv6 > prefixes that are already covered by IGP/BGP extensions for IPv6 routing. A > provider that uses global IPv6 addresses in their infrastructure (e.g. for > their BGP and other routing sessions, on their router links and loopback, > for DHCP, AAA, etc.) already do routing for those prefixes via IGP/BGP. > These are not advertised (nor leaked) out into the Internet since doing so > can result in attacks on their internal network and infrastructure. They > are protected via BGP configuration to stop leaks and then again by ACLs at > Internet Border Routers to prevent attacks via the data path. This still > remains the case to be done for SRv6 locators - they are similarly the > service provider's "internal" infrastructure. > > I'm confounded by the recent line of reasoning of SRv6 proponents. An IPv6 address is NOT a service access point, it's a routable address, history shows us that we can protect against services on the device being attacked through that (though it took some work like proper ICMP handling). SRv6 endpoints here are really service endpoints, unless we have a CUG security architecture in place, how do we protect services here without having CUG style filters on the whole edge? with SRv6 services giving people a service access point and a tunneling technology where someone via v6 routing can built a tunnel to hit the service is a different beast altogether than protecting reachability (routable addresses) and I fear pretty soon we're looking @ routers going very, very deep into the "IPv6" packet to make sure there aren't some magic options on the packet source-routing it in funky ways towards service endpoints that will accept the packet. --- tony
- [bess] Erik Kline's Discuss on draft-ietf-bess-sr… Erik Kline via Datatracker
- Re: [bess] Erik Kline's Discuss on draft-ietf-bes… Ketan Talaulikar
- Re: [bess] Erik Kline's Discuss on draft-ietf-bes… Tony Przygienda
- Re: [bess] Erik Kline's Discuss on draft-ietf-bes… Ketan Talaulikar
- Re: [bess] Erik Kline's Discuss on draft-ietf-bes… Tony Przygienda
- Re: [bess] Erik Kline's Discuss on draft-ietf-bes… Ketan Talaulikar
- Re: [bess] Erik Kline's Discuss on draft-ietf-bes… Ketan Talaulikar