Re: [Int-area] Fwd: I-D Action: draft-carpenter-limited-domains-06.txt
Brian E Carpenter <brian.e.carpenter@gmail.com> Sat, 02 March 2019 19:51 UTC
Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5910212F295 for <int-area@ietfa.amsl.com>; Sat, 2 Mar 2019 11:51:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OG2kILmHGqfZ for <int-area@ietfa.amsl.com>; Sat, 2 Mar 2019 11:50:57 -0800 (PST)
Received: from mail-pl1-x632.google.com (mail-pl1-x632.google.com [IPv6:2607:f8b0:4864:20::632]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 158661279E6 for <int-area@ietf.org>; Sat, 2 Mar 2019 11:50:57 -0800 (PST)
Received: by mail-pl1-x632.google.com with SMTP id q3so594212pll.4 for <int-area@ietf.org>; Sat, 02 Mar 2019 11:50:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=StjBNAydxJyacCu1KS8cB9Tl+5LPFaoE93IK4/UMJj8=; b=ak2IzXtC1nfnZc3NIlVCiGTvyzm35dmvzyt5yyCAT0Qa6h+hTWUDVwZqCtxYJ2NqHG 3GyLS/7VRrwPSIfhEeapqJpv/b98VF9Jap6lHZtLRSkKLZ9DpHzzSipUiO0Loybg8rqR 31L38Roa29ueFiykU031f3dfGRQdNq6JSAsAME5U5j7Rl+QNsK4Uub+vmviCStLQKZkl R7/3GX4Ac8CU6iQ0+waKjCv7nsRUUZ7NTJ/EbdPK0vSpD1iweSzFll7QdCpfM4OSGYXT AzxEbRM0RY8OMAYck6GyJ+srmTLtWdh5IPRhLfUE3qVAfi5zdzQbK3LP1gNGB/lRSglP /YeQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=StjBNAydxJyacCu1KS8cB9Tl+5LPFaoE93IK4/UMJj8=; b=PJB/S102SzYFAmEh3DByczHo9eQsEkSHHaTH1/gPrz5vAuGWa0n6EXzt5IPvCzpLji tzsDFXxlcTpRZK0Yw4Lh0FXfsMV5hn6d0f0VGrhXtsZ8yn7Oo1iVWG4otOug6tN8fbWj e0PUeVEna/O1hylxwrZIDJSXWrrYkKLwYyvWgG6kuVSc5xx4GLknQYKahS/NscaJZiYE NBctXTrpxt/4iH1leijEiCGfCc+7LmbGz4HVT7fgnffHEDt1QDhrKA3Wv+PTFBgr7zwP n6hjC8VTSTY/JQ+pFwBdh0KQpw7EQdqqZf17JBHKfJyruZ69ceaQINORULgfmUHjPIur vKyA==
X-Gm-Message-State: APjAAAXS0/BYXrGemRebr5dZc1hSMjbsVQByCUVWU+OgpPv4RXZFqDUR t025RSH2TBfUDfta/MJAe8jMUAzo
X-Google-Smtp-Source: APXvYqwzam6mlqbCwODyLjvDc0rgEIygHl+/K6W6EgFqtkY7KciQr5sG06brJyxA9z6cn+emtgXKXg==
X-Received: by 2002:a17:902:bd06:: with SMTP id p6mr12188481pls.130.1551556256041; Sat, 02 Mar 2019 11:50:56 -0800 (PST)
Received: from [192.168.178.30] ([118.148.79.176]) by smtp.gmail.com with ESMTPSA id i10sm2579941pgs.26.2019.03.02.11.50.53 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 02 Mar 2019 11:50:55 -0800 (PST)
To: Tom Herbert <tom@herbertland.com>
Cc: int-area <int-area@ietf.org>
References: <155148867733.6203.17876831273429823351@ietfa.amsl.com> <45a7996f-3d80-cf32-43ca-c02244ea2d39@gmail.com> <CALx6S34zqSV2gxkOHU=hcNrDy=ptAba3iMx4_JKAMoHZQMKsxg@mail.gmail.com> <31f83f21-f884-1f4a-f92f-5b40927bac4b@gmail.com> <CALx6S377x12FLVX75Ud0gya8apirs+3KZvenXA9e==JG1L+zNw@mail.gmail.com>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Message-ID: <3b7778c4-e9c3-0fa2-b8ff-17cd0984e4e6@gmail.com>
Date: Sun, 03 Mar 2019 08:50:53 +1300
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.5.1
MIME-Version: 1.0
In-Reply-To: <CALx6S377x12FLVX75Ud0gya8apirs+3KZvenXA9e==JG1L+zNw@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-area/DRIe7nhi21zRhS3jxvfCn6Nf9Jo>
Subject: Re: [Int-area] Fwd: I-D Action: draft-carpenter-limited-domains-06.txt
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 02 Mar 2019 19:51:00 -0000
On 03-Mar-19 06:35, Tom Herbert wrote: > On Fri, Mar 1, 2019 at 7:18 PM Brian E Carpenter > <brian.e.carpenter@gmail.com> wrote: >> >> On 02-Mar-19 14:46, Tom Herbert wrote: >>> Hi Brain, >>> >>> One comment... >>> >>> >From the draft: >>> >>> "5. Firewall and Service Tickets (FAST). Such tickets would >>> accompany a packet to claim the right to traverse a network or request >>> a specific network service [I-D.herbert-fast]. They would only be >>> valid within a particular domain." >>> >>> While it's true that Firewall and Service and Tickets (in HBH >>> extension headers) are only valid in a particular domain, that really >>> means that they are only interpretable in the origin domain that >>> created the ticket. It's essential in the design that FAST tickets can >>> be exposed outside of their origin domain (e.g. used over the >>> Internet) and reflected back into the origin domain by peer hosts. >>> FAST tickets contain their own security (they are encrypted and signed >>> by agent in the origin network) so there should never be any reason >>> for a firewall to arbitrarily filter or limit packets with FAST >>> tickets attached. This technique could probably be applied to some of >>> the other use cases mentioned. >> >> Yes, that's an interesting model: effectively a domain split into various >> parts without needing a traditional VPN. >> >> Of course, there remains the bogeyman of making the Internet transparent >> to some new unknown option or extension header. I'm pessimistic about that. >> So far we have had poor success. > > Maybe, although I wouldn't phrase it exactly that way. Protocol > ossification of the Internet and the abandonment of the End-to-End > model has made evolution of the Internet harder, but I don't believe > it is yet proven impossible. This goes back to my primary concern that > if the concept of limited domains is standardized, some people will > use it as rationalization to justify non-conformant implementation and > proprietary, non-interoperable solutions as somehow being compatible > with Internet architecture and ideals. I certainly acknowledge that risk; but (having lived with this problem in some form or other since RFC2101) I really think we can't duck it any longer. Also, we really have standardized limited domains already, in numerous places - segment routing and detnet being recent examples. I think ultimately what we're arguing in the draft is: let's do it properly. Brian Brian
- [Int-area] Fwd: I-D Action: draft-carpenter-limit… Brian E Carpenter
- Re: [Int-area] Fwd: I-D Action: draft-carpenter-l… Tom Herbert
- Re: [Int-area] Fwd: I-D Action: draft-carpenter-l… Brian E Carpenter
- Re: [Int-area] Fwd: I-D Action: draft-carpenter-l… Tom Herbert
- Re: [Int-area] Fwd: I-D Action: draft-carpenter-l… Brian E Carpenter
- Re: [Int-area] Fwd: I-D Action: draft-carpenter-l… Tom Herbert
- Re: [Int-area] Fwd: I-D Action: draft-carpenter-l… Brian E Carpenter