IETF Logo Mail Archive

Re: [Idr] Fw: Re: New Version Notification for draft-xie-idr-mpbgp-extention-4map6-00.txt

Robert Raszuk <robert@raszuk.net> Mon, 23 January 2023 09:49 UTC

Return-Path: <robert@raszuk.net>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE3F8C151707 for <idr@ietfa.amsl.com>; Mon, 23 Jan 2023 01:49:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.084
X-Spam-Level:
X-Spam-Status: No, score=-2.084 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_FACE_BAD=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=raszuk.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BT9oGBMbsWVG for <idr@ietfa.amsl.com>; Mon, 23 Jan 2023 01:49:54 -0800 (PST)
Received: from mail-wr1-x42d.google.com (mail-wr1-x42d.google.com [IPv6:2a00:1450:4864:20::42d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9EDFCC151702 for <idr@ietf.org>; Mon, 23 Jan 2023 01:49:54 -0800 (PST)
Received: by mail-wr1-x42d.google.com with SMTP id r9so10203941wrw.4 for <idr@ietf.org>; Mon, 23 Jan 2023 01:49:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=raszuk.net; s=google; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=ctQdKUDfAW4t43ChtNeClNbGDakeN4JLRBesnzgtY1g=; b=IftLTdifThblgkqPGn1UGMxjPtrmGo5sqh7dMyEbI3vdHZjMX8ms5RyTFobF7lBE9F xmcMDsc+rbCDQCMxnbelHGsHRmkJsdnBLWIFQKC+MJ1t97d2YUvvxG8irmWbRjnfyiu7 zPtcht4wJaSpX+quJaooHQVHd/GCaYJTY1+gBFwlllqA53EzUp9jql/9XqNwt2CGtVKM 6N1BDGJp5tA+WRCgCsfldYyNB0dWn1TJrdkaVBbdSdc8pONgxPA+pk0DUf0blwk0ISb6 YjdsYFY3OwW9Buh9k+lkXJ1G2kSzD+nXKZwIWY4jXku9gAMpyx70KHBf0GNyLRscthb9 fFEg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=ctQdKUDfAW4t43ChtNeClNbGDakeN4JLRBesnzgtY1g=; b=YJREVKV2BxhsvNfYhm1MGsJUYFDUz6rNLmKF2CXwn0Yl9uOSs81p45CT+Ty08e8v91 +pFP/7EiurIz9H5c6mmplgKkddbzbj50DxWmlSuf8fN6rVIeBs0FnnuPxV6/Yy7ALzHu LVi0Dtoh4GXyaIUzaSedu2BUtkfgUH8/lFjDddtrhcLNXd70meIEDabjpc7vCIxF+ct2 uKO5/l6Www17FaaZ7S471nHtTda9y2jUWxN5XxnncMl4xJ+eU3+HYOIHFckYt+Qql86i 4BohpnmcikEKu9YWKlHjyCEy6+YctNJaUVStMAVS7GA0xqcTA1+I/gYsFNWMW+DwHfuI cdIg==
X-Gm-Message-State: AFqh2koUmNm5yY5YK99iS6rdh6f3w/6Mch3djsw0bBMc4gqpN7vBRd6q u8lZ9hoJ+UJq8JIgkLguHTYbliePT9a6N0G09/IYHQ==
X-Google-Smtp-Source: AMrXdXsLLvYUYfev/hqqpNG57cZFSILFTLVQ83aepIgOTEyV6KsduVxFEq3dwNF5Y84zQxzdYCUDjbaT4He3aD+B1Pc=
X-Received: by 2002:a5d:5745:0:b0:2bd:bbbf:aaf0 with SMTP id q5-20020a5d5745000000b002bdbbbfaaf0mr940370wrw.230.1674467392096; Mon, 23 Jan 2023 01:49:52 -0800 (PST)
MIME-Version: 1.0
References: <202301230839078513104@chinatelecom.cn>
In-Reply-To: <202301230839078513104@chinatelecom.cn>
From: Robert Raszuk <robert@raszuk.net>
Date: Mon, 23 Jan 2023 10:49:40 +0100
Message-ID: <CAOj+MMExmZf4NoFkAiEZGnEa9wwDdO5Sfq8YpEA0rzD3Oy+bUw@mail.gmail.com>
To: Chongfeng Xie <xiechf@chinatelecom.cn>
Cc: idr-chairs <idr-chairs@ietf.org>, idr <idr@ietf.org>, donggz <donggz@chinatelecom.cn>, xing <xing@cernet.edu.cn>
Content-Type: multipart/alternative; boundary="00000000000018215e05f2eb5296"
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/ir2uxRPy9insTzHbM8paidAPKw4>
Subject: Re: [Idr] Fw: Re: New Version Notification for draft-xie-idr-mpbgp-extention-4map6-00.txt
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Jan 2023 09:49:58 -0000

Hi Chongfeng,

Ad 1 -

> The mapping rule can be transmitted within and across domains

Introduction of a new address-family always has a significant operational
burden. If you intend to make it work interdomain all involved domains now
must be upgraded to support new AFI/SAFI.

That is a real obstacle if sites would like to also connect to the Internet
as now you need a gateway to translate new SAFI into 1/1.

Ad 2 -

As we have discussed offline what you put as encapsulation src or dst is a
local matter.  Nothing prevents local configuration to place fully mapped
address as src and/or dst in the outer encapsulation today.

In all cases routing in the core to egress PE would be done based on IPv6
prefix of the egress node.

You keep repeating "legacy encapsulation mode" ... that pejorative
statement has no basis here as you are not proposing any new encapsulation.
All you are proposing in the draft is to carry IPv4 mapped IPv6 addresses
in new BGP SAFI.

So what is your definition of "legacy encapsulation mode " ? And what is
the "modern" version of it ?

That alone is highly questionable as such mapping's algorithm is well known
and each node can do the mapping by itself. All it needs to know is the
AFI/SAFI 1/1 and tunnel endpoint. There is no magic to it. This really
proves no justification to invent new SAFI for it.

> RFC9012 does not have this feature, it still relies on explicit IPv6
address of the router, e.g., BGP next-hop, as the tunnel point.

As we also discussed, tunnel endpoint does not and in many case is not the
same as BGP next hop.

Ad 3 -

Addressed in #2.

It is however interesting that you are bringing a security aspect for a
closed domain(s) service. Are you afraid that your own customers will be
attacking the subject infrastructure ?

If this is about Internet sourced attacks your infra there are well known
techniques to prevent that irrespective of the subject draft.

Many thx,
R.

On Mon, Jan 23, 2023 at 1:39 AM Chongfeng Xie <xiechf@chinatelecom.cn>
wrote:

>
>
>
>
> Hello, folks,
>
> Since the drafts was submitted several days ago, we have received Robert
> and Gyan's comments, which are very valuable. Thanks.
>
>
>
> Here I'd like to provide some background information about this draft:
>
> 1)Firstly, its use case is to support IPv4aaS in the multi-domain
> IPv6-only networks.  The framework has been defined in
> [draft-ietf-v6ops-framework-md-ipv6only-underlay],it adopted a specific
> data structure called address mapping rule, which is the mapping
> relationship between IPv4 address block and IPv6 mapping prefix of the PE
> devices. In order to forward IPv4 service data, mapping rule is used by the
> ingress PE to generate corresponding IPv6 source and destination addresses
> from its IPv4 source and destination address, and vice versa. The mapping
> rule can be transmitted within and across domains, therefore, it gives the
> direction of IPv4 service data transmission in multi-domain IPv6-only
> networks. Moreover, since this is prefix-level mapping, there is no need to
> maintain user-related status or translation tables at the PE devices.
>
>
>
> 2)Secondly, the encapsulation approach supported by the mapping rule is
> different from legacy tunnels in terms of the outer address creation.
>
> In the legacy encapsulation mode, the mapping of original IPv4 address and
> IPv6 address is N:1, i.e., IPv4 packets with different combination of
> source and destination address share the same IPv6 tunnel. The outer IPv6
> addresses are unrelated to the inner IPv4 addresses, so it is difficult for
> the network to distinguish the host.
>
>
>
> The approach in my draft uses rule-based address mapping, the IPv6 source
> addresses automatically generated comprises the original IPv4 source
> addresses of the packet, the IPv6 destination addresses comprises the
> original IPv4 destination addresses too. Thus, for all the IPv4 packets
> which have the same IPv6 data path in IPv6-only network, when the inner
> IPv4 addresses are different, the outer IPv6 addresses will be different
> correspondingly, which is equivalent to establishing specific tunnels for
> different IPv4 packets, so the network can easily identify hosts based on
> the outer source and destination IPv6 addresses.
>
>
>
> RFC9012 does not have this feature, it still relies on explicit IPv6
> address of the router, e.g., BGP next-hop, as the tunnel point.
>
>
>
> 3) In addition,the mapping rule-based mechanism expects to make some
> security enhancement over traditional tunnel. In the legacy encapsulation
> mode, endpoint IP address on PE device can easily become a target of DDOS
> attack from the Internet. But in the new approach, there is no specific
> physical end-point address on each PE, the tunnel endpoint address is
> generated dynamically by using IPv6 mapping prefix to splice IPv4
> addresses. This will be helpful to avoid the static IPv6 address from
> becoming the target of the DDOS attack.
>
>
>
> Based on the considerations above, in order to exchange the mapping rule
> across domains, this draft proposes to make necessary extensions to MP-BGP
> in a feasible and effective way. Of course, this draft is only at the
> primitive stage, and there are many aspects to be modified and improved. I
> hope to receive more comments and suggestions.
>
>
> Best regards
>
> Chongfeng
>
>
>
> *From:* Chongfeng Xie <xiechf@chinatelecom.cn>
> *Date:* 2023-01-17 19:33
> *To:* internet-drafts <internet-drafts@ietf.org>
> *CC:* donggz <donggz@chinatelecom.cn>; xing <xing@cernet.edu.cn>;
> idr-chairs <idr-chairs@ietf.org>
> *Subject:* Re: New Version Notification for
> draft-xie-idr-mpbgp-extention-4map6-00.txt
>
> Hello, everyone,
> We have just submitted a new draft, which is about MP-BGP extension for
> multi-domain IPv6-only neworking. Since this is its first submission, there
> must be many defects in it, we look forward to receiving more comments,
> suggestions and even criticism.
>
> Best regards
> Chongfeng
>
>
> *From:* internet-drafts <internet-drafts@ietf.org>
> *Date:* 2023-01-17 19:17
> *To:* Chongfeng Xie <xiechf@chinatelecom.cn>; Guozhen
> <donggz@chinatelecom.cn>; Guozhen Dong <donggz@chinatelecom.cn>; Xing Li
> <xing@cernet.edu.cn>
> *Subject:* New Version Notification for
> draft-xie-idr-mpbgp-extention-4map6-00.txt
>
> A new version of I-D, draft-xie-idr-mpbgp-extention-4map6-00.txt
> has been successfully submitted by Chongfeng Xie and posted to the
> IETF repository.
>
> Name: draft-xie-idr-mpbgp-extention-4map6
> Revision: 00
> Title: MP-BGP Extension and the Procedures for IPv4/IPv6 Mapping
> Advertisement
> Document date: 2023-01-15
> Group: Individual Submission
> Pages: 13
> URL:
> https://www.ietf.org/archive/id/draft-xie-idr-mpbgp-extention-4map6-00.txt
> Status:
> https://datatracker.ietf.org/doc/draft-xie-idr-mpbgp-extention-4map6/
> Htmlized:
> https://datatracker.ietf.org/doc/html/draft-xie-idr-mpbgp-extention-4map6
>
>
> Abstract:
>    This document defines NLRI with specific AFI/SAFI combination, a new
>    BGP path attribute known as the "4map6" and a set of related
>    procedures, which can be used for transferring IPv4/IPv6 address
>    mapping rule to support IPv4 service delivery in multi-domain
>    IPv6-only underlay networks.
>
>
>
>
>
> The IETF Secretariat
>
>
>
>
> _______________________________________________
> Idr mailing list
> Idr@ietf.org
> https://www.ietf.org/mailman/listinfo/idr
>

v2.23.0 | Report a Bug | By Email