RE: [EXT] Re: Last Call: <draft-ietf-6man-rfc2460bis-08.txt> (Internet Protocol, Version 6 (IPv6) Specification) to Internet Standard

David Mozes <davidm@mellanox.com> Tue, 14 February 2017 14:27 UTC

Return-Path: <davidm@mellanox.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC19C129A63; Tue, 14 Feb 2017 06:27:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.889
X-Spam-Level:
X-Spam-Status: No, score=-3.889 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-1.887, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mellanox.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rh8xD6ODeblj; Tue, 14 Feb 2017 06:27:20 -0800 (PST)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-he1eur01on0043.outbound.protection.outlook.com [104.47.0.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C2D1129A60; Tue, 14 Feb 2017 06:27:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Mellanox.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=LVgjNVg1sloo5qRTipk0nsKatX6vsckayGzDtr+IiLI=; b=hy5x4uxl/hsbLwi1jFz4w5fOxKMMp4q4aFn/Mw8Krnsy7uCYXoizUIPGj7QFSXKjiuj6ALnTHfNzjo7d7gL9iPFZLLd+YALMF48izXpttkDh3u3Avqn8yZMlhhmBvZ0rvX3+7HnDgyU79oW0vQNldyy1gna439sxr/U6jvCWag8=
Received: from HE1PR0501MB2138.eurprd05.prod.outlook.com (10.167.246.22) by HE1PR0501MB2137.eurprd05.prod.outlook.com (10.167.246.21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.888.16; Tue, 14 Feb 2017 14:27:16 +0000
Received: from HE1PR0501MB2138.eurprd05.prod.outlook.com ([10.167.246.22]) by HE1PR0501MB2138.eurprd05.prod.outlook.com ([10.167.246.22]) with mapi id 15.01.0888.026; Tue, 14 Feb 2017 14:27:16 +0000
From: David Mozes <davidm@mellanox.com>
To: Tal Mizrahi <talmi@marvell.com>, Mark Smith <markzzzsmith@gmail.com>
Subject: RE: [EXT] Re: Last Call: <draft-ietf-6man-rfc2460bis-08.txt> (Internet Protocol, Version 6 (IPv6) Specification) to Internet Standard
Thread-Topic: [EXT] Re: Last Call: <draft-ietf-6man-rfc2460bis-08.txt> (Internet Protocol, Version 6 (IPv6) Specification) to Internet Standard
Thread-Index: AdKF/X9u+WIK+SvpTdCAbZfIxgfsEgABO8eAADEQ/AAAAQ+oAA==
Date: Tue, 14 Feb 2017 14:27:16 +0000
Message-ID: <HE1PR0501MB21381B97CAB3707DB7D20F31B6580@HE1PR0501MB2138.eurprd05.prod.outlook.com>
References: <67ab3d39d55840c8a207e2104e6020cd@IL-EXCH01.marvell.com> <CAO42Z2zcc-wCtdbs4VFSu-yWUT0u2PX8r+wpe3Jsj-4vVZUwwg@mail.gmail.com> <eeaa0cc49e104cc68c5b2ae23c44e355@IL-EXCH01.marvell.com>
In-Reply-To: <eeaa0cc49e104cc68c5b2ae23c44e355@IL-EXCH01.marvell.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=davidm@mellanox.com;
x-originating-ip: [193.47.165.251]
x-ms-office365-filtering-correlation-id: f60b0022-94d6-4f2d-df85-08d454e5936e
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081); SRVR:HE1PR0501MB2137;
x-microsoft-exchange-diagnostics: 1; HE1PR0501MB2137; 7:gV5Ee7/6kXtJWVMpHIpPtcAR1s4BrVO2WeckwPZ7kA3ys/PCoKzrTQ43cD7l7xd4V2JVeFp32ueVocn3wvgudESNb1gVpqvnlwTAPpJhwqLp2NAlciBpFREmKaVTaO5okMT4DQJ8exzP9qAhtCNxPcfsruDuT7yU6wousaym47ctY+PNf62Ytot5Idn0VOD2tbq5nwuwkZl6ytpr6pVtwEcrMjhcVNwHillgvBX0ukqBbhuFGkSGd/vp17jP3EbR0YXzR5+z6oEackCKeN72UOemNzhFJPIBQZ4Al6ufdCUzIbwB4CI7oxW6lXY0KMqJ/teaxx9e97s29lxrXXXHvtjSQGnE8D1+G+bPMNE/3U5hGYZNp7FYarO7s0LZfhVn5pbQXuWWBN83rPMro/2f00XsrWKz6TnONMmiTGG9TBLD6NgSRqcrlQVSBsjjNsCiLtVhzFK0aDM80FCSJSuWdNLhTJQrgO/vi+9hpUTu5xI7g+R8+3aJi6Y8GD7oXbrOAHIH3SKm88at8phTGRNdgQ==
x-microsoft-antispam-prvs: <HE1PR0501MB21376282FBDD5D2B34575F87B6580@HE1PR0501MB2137.eurprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(192374486261705);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040375)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6055026)(6041248)(20161123558025)(20161123560025)(20161123562025)(20161123564025)(20161123555025)(6072148); SRVR:HE1PR0501MB2137; BCL:0; PCL:0; RULEID:; SRVR:HE1PR0501MB2137;
x-forefront-prvs: 0218A015FA
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(7916002)(39450400003)(39860400002)(39850400002)(39840400002)(39410400002)(189002)(199003)(377454003)(13464003)(24454002)(51444003)(92566002)(230783001)(25786008)(55016002)(54906002)(74316002)(66066001)(33656002)(99286003)(68736007)(8676002)(6436002)(2906002)(9686003)(6506006)(81166006)(97736004)(77096006)(3280700002)(54075001)(6306002)(305945005)(50986999)(7736002)(2900100001)(81156014)(53936002)(4326007)(8936002)(2950100002)(106356001)(229853002)(76176999)(54356999)(6116002)(122556002)(3846002)(86362001)(7696004)(38730400002)(105586002)(3660700001)(5660300001)(6246003)(189998001)(39060400002)(101416001)(102836003)(81003); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR0501MB2137; H:HE1PR0501MB2138.eurprd05.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: mellanox.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: Mellanox.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Feb 2017 14:27:16.1655 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: a652971c-7d2e-4d9b-a6a4-d149256f461b
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0501MB2137
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/2AYVjlnRPwgCOt1_NWWsCbzuuio>
Cc: "6man@ietf.org" <6man@ietf.org>, "draft-ietf-6man-rfc2460bis@tools.ietf.org" <draft-ietf-6man-rfc2460bis@tools.ietf.org>, IETF Discussion list <ietf@ietf.org>, "6man-chairs@ietf.org" <6man-chairs@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Feb 2017 14:27:23 -0000

Hi * ,
I am also supporting the insertion of in-band telemetry like INT along with the  actual data packet .
It is for sure a valid use case for the modern networking including data center. 
There are several proposals how to embedded telemetry information   some of them are with in nvo3 tannling protocols 
(Vxlan-GPE,Geneve) Spring and other  . 
I think that ipv6 hbh is the "cleanest"  way to add such info.
	1) I don't see any and advantages on the other  proposals (NVO3 ,SPRING) over IPV6 hbh.
	2))As far as security In the IPsec community, AH is pretty much considered deprecated, a failed experiment.They  are  prefer to use   ESP for authentication as well.
 
The postal system and the letter is very nice e example  . I will treat the adding ipv6-hbh info as stamps on the envelops ,since we are not touching  the data gram itself just the envelope

Thx
David
-----Original Message-----
From: ipv6 [mailto:ipv6-bounces@ietf.org] On Behalf Of Tal Mizrahi
Sent: Tuesday, February 14, 2017 3:37 PM
To: Mark Smith <markzzzsmith@gmail.com>
Cc: draft-ietf-6man-rfc2460bis@tools.ietf.org; 6man@ietf.org; IETF Discussion list <ietf@ietf.org>rg>; 6man-chairs@ietf.org
Subject: RE: [EXT] Re: Last Call: <draft-ietf-6man-rfc2460bis-08.txt> (Internet Protocol, Version 6 (IPv6) Specification) to Internet Standard

Hi Mark,

I certainly agree that hop-by-hop insertion/modification introduces potential security vulnerabilities.
Therefore, as I pointed out below, I would recommend to tackle this by defining something along the lines of “Hop-by-hop extensions can be inserted/removed/modified/processed by intermediate nodes *if* [……..] and the possible consequences are [……..]”

For example, hop-by-hop handling can be restricted only to a single administrative domain, or only to tunnels (as in the zero checksum case). 

Regards,
Tal.

>-----Original Message-----
>From: Mark Smith [mailto:markzzzsmith@gmail.com]
>Sent: Monday, February 13, 2017 6:07 PM
>To: Tal Mizrahi
>Cc: 6man@ietf.org; IETF Discussion list; draft-ietf-6man- 
>rfc2460bis@tools.ietf.orgorg; 6man-chairs@ietf.org
>Subject: [EXT] Re: Last Call: <draft-ietf-6man-rfc2460bis-08.txt> 
>(Internet Protocol, Version 6 (IPv6) Specification) to Internet 
>Standard
>
>External Email
>
>----------------------------------------------------------------------
>Hi,
>
>
>
>On 14 February 2017 at 00:43, Tal Mizrahi <talmi@marvell.com> wrote:
>> Hi,
>>
>>
>>
>> Good discussion regarding the text about the hop-by-hop extension.
>>
>>
>>
>> In my opinion there is a valid use case for intermediate nodes that 
>> insert/remove/modify/process hop-by-hop extensions. Examples: IOAM, INT.
>>
>> Since there is a use case, I believe we need explicit text about 
>> intermediate handling of hop-by-hop extensions.
>>
>
>
>Imagine you sent a letter through the postal system, and the postal 
>system wanted to add information to that letter, that is then to be 
>removed before the letter arrives at its final destination.
>
>The postal system have at least two choices as to how to add that information.
>They could:
>
>(a) unstick your envelope's seal, insert the information, reseal the 
>envelope so well you can't tell and send it on its way, some how 
>flagging to a destination device within the postal system that this 
>specific envelop needs to be openned, a specific page removed, and then resealed.
>
>(b) take a new envelope with new internal postal system source and 
>destination address information, insert your letter without touching it 
>in addition to the new information, and then sending it on its way.
>
>Imagine that the information to be added by the postal system is 
>printed on the same type of paper and is written in the same font as 
>you've chosen to use to write your letter.
>
>Have a think about these two methods, what could fail with each of 
>them, and what the consequences may be if any of those failures occur.
>Have a think of the benefits of each method, and whether they're worth 
>it compared to the failure mode costs and consequences for the method.
>
>>
>>
>> This [somewhat] reminds me of the discussion a few years ago about 
>> the IPv6/UDP zero checksum. The WG ended up defining that “Zero 
>> checksum is permitted in IPv6/UDP *if* [……..] and the possible consequences are [……..]”.
>>
>>
>
>That is a far more trivial change to the packet - it is allowing a 
>value in an existing field that was formerly prohibited, and nodes that 
>did not understand that value would drop the packet because that is 
>what they had been specified to do if they received this prohibited value. In other words, existing implementations '
>behaviour when this formerly unexpected value was encountered had 
>already been specified and deployed.
>
>
>>
>> I would argue that regarding hop-by-hop extension handling we also 
>> need to define that “Hop-by-hop extensions can be 
>> inserted/removed/modified/processed by intermediate nodes *if* [……..] 
>> and the possible consequences are [……..]”.
>>
>
>Some things that are possible to do in theory shouldn't be done in 
>practice, because the consequences when their implementations fail can 
>be severe and outweigh the benefits.
>
>In theory, inserted EHs will be removed 100% of the time. In practice 
>they won't be, because implementations can have bugs and they can also 
>fail in unexpected ways e.g., hardware faults.
>
>Regards,
>Mark.
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------