Re: [spring] CRH is not needed - Re: How CRH support SFC/Segment Endpoint option?

Robert Raszuk <robert@raszuk.net> Tue, 26 May 2020 21:17 UTC

Return-Path: <robert@raszuk.net>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E27CD3A082C for <ipv6@ietfa.amsl.com>; Tue, 26 May 2020 14:17:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=raszuk.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D3wVgmlemAjN for <ipv6@ietfa.amsl.com>; Tue, 26 May 2020 14:17:15 -0700 (PDT)
Received: from mail-ed1-x529.google.com (mail-ed1-x529.google.com [IPv6:2a00:1450:4864:20::529]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF6273A0808 for <6man@ietf.org>; Tue, 26 May 2020 14:17:14 -0700 (PDT)
Received: by mail-ed1-x529.google.com with SMTP id c35so2569592edf.5 for <6man@ietf.org>; Tue, 26 May 2020 14:17:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=raszuk.net; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=lrPb1RaQf/tnpL6+HIagE+vgLTpbiqcHJJ0rAzD/5aU=; b=fCI/6ZXgj9tBHXNPan0UYDPEoPn8KkbxXEXID8txyhCVYVpCgvwO6t0xaTIu7ASBVd /5TcOKe9a2eAuZWZwfAAlOfma8BxnXQA9vkyBV6uk7oEFSsVtuCo3ckn080C/MN4YfZh HmzHf+rve2fpCzUOAZxHPzwB9TS4nwJrl0YbZfcfyWAwI1BBVteOwlYOOJOg+o37Crd9 qvxK487A5D2nw1pFRd4FazmmvPm3+hN98sgW2/6aatXA3FEjno2bEv0o7REbAHygIrv/ CfSkA5L8j0x/eXKsKx1CklaqOyXVOCWCLiP3np9STIBqbTso69EoZMXHsLIUKxONOzAU N4xg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=lrPb1RaQf/tnpL6+HIagE+vgLTpbiqcHJJ0rAzD/5aU=; b=IFaZ3O2y0rttpzK8Uo/FgD4NObf/rVXxScjTVTS4ymqY6rsDoL+ZlwVGa4lfNYFs26 QWvmjPKljeZkrcuHty9a8wPhYqlB3DMsILNW23RNjs8wJ3FGNb1fmtZFgBbNkbwQzZnk IyAZ7rtZs81tbGwkB5U+txesVUCoO47+lUuc/lqrbpnkihClluUTSHjsF3cbhuPlzBtj lDg3QuG/fks0u7kR+EsZKiaPzWMAbqFtbLkMkaPCjcIB+UoMkm5zELwpT/JXqfJuUxbN Vi9nonyqgY6KW5YJxpqw+D3Q9Pt8h4/VD3t/eCO9xGMb3VpaN3BoSgYI4c/jX2HUm3jU wpiA==
X-Gm-Message-State: AOAM53101pQVtyfNx3nlvgROmx+55r89M9/bsV9s0NMYrX7zpgZ9Q3tQ aC/hmLLonVUHc11gVsrO9Gx1EAYHED7YfAKF+Za6HQ==
X-Google-Smtp-Source: ABdhPJzAG+FooJQQQCFKK5KUn35n9r9hjnUNP71pdfbwcAUtmxoXNvYOJ452l5vF0yZ6HUAzfswMTHbAKYtI92UU8u8=
X-Received: by 2002:aa7:d2d0:: with SMTP id k16mr21376896edr.272.1590527833186; Tue, 26 May 2020 14:17:13 -0700 (PDT)
MIME-Version: 1.0
References: <CAOj+MMHRAuT1931reBLe-1UQ5gac4RmCtybk-OXn03atoAjDkA@mail.gmail.com> <5265F3D0-BAB8-41E3-B932-85ED4DEDA468@steffann.nl> <DB768488-AC2B-4B2B-A2FC-F8E07B88356C@juniper.net>
In-Reply-To: <DB768488-AC2B-4B2B-A2FC-F8E07B88356C@juniper.net>
From: Robert Raszuk <robert@raszuk.net>
Date: Tue, 26 May 2020 23:17:04 +0200
Message-ID: <CAOj+MMH-26mc-rSQAOTmNWBBESor66EsnaqUgGyXMCJYyAtE=A@mail.gmail.com>
Subject: Re: [spring] CRH is not needed - Re: How CRH support SFC/Segment Endpoint option?
To: John Scudder <jgs@juniper.net>
Cc: Sander Steffann <sander@steffann.nl>, Ron Bonica <rbonica@juniper.net>, 6man <6man@ietf.org>, "Zafar Ali (zali)" <zali@cisco.com>, "spring@ietf.org" <spring@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000080b9f105a6939e27"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/07_MIG1zI9ROXpeh7j5j9u5SyO8>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 May 2020 21:17:17 -0000

Hi John,

That is indeed an interesting point. Honestly in all of my personal and
business interests I want to use any of those technologies (of course with
RbR preference) for engineering SDWANs. So clearly Internet transit
applies.

But then I have just one question:

- In what context have we spent so many emails discussing "escaping packets
to the Internet" or protecting infrastructure (SID addresses from "entering
your network from Internet" ?

Kind regards,
R.





On Tue, May 26, 2020 at 10:44 PM John Scudder <jgs@juniper.net> wrote:

> On May 26, 2020, at 3:52 PM, Sander Steffann <sander@steffann.nl> wrote:
>
>
> Source and destination are in the same domain. Who says that the domain is
> contiguous? Let's change the example to main and branch offices. Same
> administrative domain, while still traversing the internet.
>
>
> This is an interesting point. You can protect it with AH to address
> security concerns about sending the CRH across the big-I Internet, too. I
> feel like it provides another illustration of the “look at the benefits you
> get if you work within an existing architecture instead of trying to invent
> a whole new one” case. You didn’t have to invent a whole new security
> architecture of your own — you fit into an existing architecture, and got
> to inherit its security properties.
>
> $0.02,
>
> —John
>