Re: [Int-area] Fwd: I-D Action: draft-carpenter-limited-domains-06.txt
Brian E Carpenter <brian.e.carpenter@gmail.com> Sat, 02 March 2019 03:18 UTC
Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D91181277D2 for <int-area@ietfa.amsl.com>; Fri, 1 Mar 2019 19:18:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l2odTLIuUD1c for <int-area@ietfa.amsl.com>; Fri, 1 Mar 2019 19:18:34 -0800 (PST)
Received: from mail-pl1-x62a.google.com (mail-pl1-x62a.google.com [IPv6:2607:f8b0:4864:20::62a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6B93F126C15 for <int-area@ietf.org>; Fri, 1 Mar 2019 19:18:34 -0800 (PST)
Received: by mail-pl1-x62a.google.com with SMTP id p19so12383591plo.2 for <int-area@ietf.org>; Fri, 01 Mar 2019 19:18:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=+SVUla784eaScKmKoel3qMC08T/7nG9fTZKzyK5TOUc=; b=gmzgL9iNXMe2SqZ7lWbQxuvfch4W1sntaSD40c09KZlg5b2uNSy5iEbog0UpFv/ecz wx+wMQDXaJhXqbOtcFH1j58L7bH9GBzbWCSg+4ZiPzjgtoQHjlYPlz8+za8rHl2UnVhr hc1+VJBGXWnPHBzVOC7Ed6BuQD4KKrb3tjBm4lzOFVWjHNIAnIFn4nYGU8Wyd9emZH3q /iRXnEHEKBlx6zYbq/GdAt2Q7oWt3kJLQVrbkb71zu3za7+geznKxBfcQCXPFhQW3Wno YZBbcLgzgD87DzyD3FbHp3vD2oPPtZtutXCTNZ54I4SrZmAUjdDNkO79JmuOiktVz03U lCAg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=+SVUla784eaScKmKoel3qMC08T/7nG9fTZKzyK5TOUc=; b=rv41eZxrn1WfAYl+mq4TQnea8I/j1a9Li6SL15KlFn+TU2h9GFJhHUInqiG9DKMTvf YhioasNUR90eoAVYIgfU8fK83aGMmSkhTIaOJqf4Cv8ABwW6eEaYFJFo8x+zKjjoiT1N Pih4peRyW1oRrId12hjUhm/KYSE5/+qpAfZk/FkDfP45AOldaTCCl+4R50XKXvy5PEBM 3UaTSpMAv7pRGhKJj7cOiBnUYANSlNSV41O88l+tMvYEozGk85KV5ZxcgtRjnzftlfPD 0DiHB1Gy6IMnn2IFox+FAUc4iZepRlwfs8HN98SHvKKrGWgv1a775GysLrpJ1X0zWbS3 6CSA==
X-Gm-Message-State: APjAAAVx9415/AHU6k6/uJOs+BVLY9/85RKel/YodJQp7qzq8f53i7rG YFNccTslQ/Z6ZnIwukwKFfAbwNFq
X-Google-Smtp-Source: APXvYqxXGOWPrlzTPp2hC1R7dNBth0v8tW0Mxl6DRvd3FPLXEV4RFscihEIRa5AO1vLBs9nxAjWQAA==
X-Received: by 2002:a17:902:684:: with SMTP id 4mr8897396plh.3.1551496713492; Fri, 01 Mar 2019 19:18:33 -0800 (PST)
Received: from [192.168.178.30] ([118.148.79.176]) by smtp.gmail.com with ESMTPSA id l12sm35622401pgn.83.2019.03.01.19.18.30 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 01 Mar 2019 19:18:32 -0800 (PST)
To: Tom Herbert <tom@herbertland.com>
Cc: int-area <int-area@ietf.org>
References: <155148867733.6203.17876831273429823351@ietfa.amsl.com> <45a7996f-3d80-cf32-43ca-c02244ea2d39@gmail.com> <CALx6S34zqSV2gxkOHU=hcNrDy=ptAba3iMx4_JKAMoHZQMKsxg@mail.gmail.com>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Message-ID: <31f83f21-f884-1f4a-f92f-5b40927bac4b@gmail.com>
Date: Sat, 02 Mar 2019 16:18:29 +1300
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.5.1
MIME-Version: 1.0
In-Reply-To: <CALx6S34zqSV2gxkOHU=hcNrDy=ptAba3iMx4_JKAMoHZQMKsxg@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-area/vZEPKfSKQAgnBFhKn58oZBhKAEI>
Subject: Re: [Int-area] Fwd: I-D Action: draft-carpenter-limited-domains-06.txt
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 02 Mar 2019 03:18:37 -0000
On 02-Mar-19 14:46, Tom Herbert wrote:
> Hi Brain,
>
> One comment...
>
>>From the draft:
>
> "5. Firewall and Service Tickets (FAST). Such tickets would
> accompany a packet to claim the right to traverse a network or request
> a specific network service [I-D.herbert-fast]. They would only be
> valid within a particular domain."
>
> While it's true that Firewall and Service and Tickets (in HBH
> extension headers) are only valid in a particular domain, that really
> means that they are only interpretable in the origin domain that
> created the ticket. It's essential in the design that FAST tickets can
> be exposed outside of their origin domain (e.g. used over the
> Internet) and reflected back into the origin domain by peer hosts.
> FAST tickets contain their own security (they are encrypted and signed
> by agent in the origin network) so there should never be any reason
> for a firewall to arbitrarily filter or limit packets with FAST
> tickets attached. This technique could probably be applied to some of
> the other use cases mentioned.
Yes, that's an interesting model: effectively a domain split into various
parts without needing a traditional VPN.
Of course, there remains the bogeyman of making the Internet transparent
to some new unknown option or extension header. I'm pessimistic about that.
So far we have had poor success.
Brian
>
> Thanks,
> Tom
>
> On Fri, Mar 1, 2019 at 5:08 PM Brian E Carpenter
> <brian.e.carpenter@gmail.com> wrote:
>>
>> A few small updates and fixes to references. Please comment;
>> the authors are wondering about next steps for this draft.
>>
>> Brian + Bing
>>
>> -------- Forwarded Message --------
>> Subject: I-D Action: draft-carpenter-limited-domains-06.txt
>> Date: Fri, 01 Mar 2019 17:04:37 -0800
>> From: internet-drafts@ietf.org
>> Reply-To: internet-drafts@ietf.org
>> To: i-d-announce@ietf.org
>>
>>
>> A New Internet-Draft is available from the on-line Internet-Drafts directories.
>>
>>
>> Title : Limited Domains and Internet Protocols
>> Authors : Brian Carpenter
>> Bing Liu
>> Filename : draft-carpenter-limited-domains-06.txt
>> Pages : 24
>> Date : 2019-03-01
>>
>> Abstract:
>> There is a noticeable trend towards network requirements, behaviours
>> and semantics that are specific to a limited region of the Internet
>> and a particular set of requirements. Policies, default parameters,
>> the options supported, the style of network management and security
>> requirements may vary. This document reviews examples of such
>> limited domains, also known as controlled environments, and emerging
>> solutions, and develops a related taxonomy. It then briefly
>> discusses the standardization of protocols for limited domains.
>> Finally, it shows the needs for a precise definition of limited
>> domain membership and for mechanisms to allow nodes to join a domain
>> securely and to find other members, including boundary nodes.
>>
>>
>> The IETF datatracker status page for this draft is:
>> https://datatracker.ietf.org/doc/draft-carpenter-limited-domains/
>>
>> There are also htmlized versions available at:
>> https://tools.ietf.org/html/draft-carpenter-limited-domains-06
>> https://datatracker.ietf.org/doc/html/draft-carpenter-limited-domains-06
>>
>> A diff from the previous version is available at:
>> https://www.ietf.org/rfcdiff?url2=draft-carpenter-limited-domains-06
>>
>>
>> Please note that it may take a couple of minutes from the time of submission
>> until the htmlized version and diff are available at tools.ietf.org.
>>
>> Internet-Drafts are also available by anonymous FTP at:
>> ftp://ftp.ietf.org/internet-drafts/
>>
>> _______________________________________________
>> I-D-Announce mailing list
>> I-D-Announce@ietf.org
>> https://www.ietf.org/mailman/listinfo/i-d-announce
>> Internet-Draft directories: http://www.ietf.org/shadow.html
>> or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
>>
>> _______________________________________________
>> Int-area mailing list
>> Int-area@ietf.org
>> https://www.ietf.org/mailman/listinfo/int-area
>
- [Int-area] Fwd: I-D Action: draft-carpenter-limit… Brian E Carpenter
- Re: [Int-area] Fwd: I-D Action: draft-carpenter-l… Tom Herbert
- Re: [Int-area] Fwd: I-D Action: draft-carpenter-l… Brian E Carpenter
- Re: [Int-area] Fwd: I-D Action: draft-carpenter-l… Tom Herbert
- Re: [Int-area] Fwd: I-D Action: draft-carpenter-l… Brian E Carpenter
- Re: [Int-area] Fwd: I-D Action: draft-carpenter-l… Tom Herbert
- Re: [Int-area] Fwd: I-D Action: draft-carpenter-l… Brian E Carpenter