RE: Adoption Call for "The IPv6 Compact Routing Header (CRH)"

"Xiejingrong (Jingrong)" <xiejingrong@huawei.com> Sat, 16 May 2020 07:30 UTC

Return-Path: <xiejingrong@huawei.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72B3D3A08B2 for <ipv6@ietfa.amsl.com>; Sat, 16 May 2020 00:30:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.002
X-Spam-Level:
X-Spam-Status: No, score=0.002 tagged_above=-999 required=5 tests=[RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2wSU5SkwpomA for <ipv6@ietfa.amsl.com>; Sat, 16 May 2020 00:29:57 -0700 (PDT)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BAB093A08AF for <ipv6@ietf.org>; Sat, 16 May 2020 00:29:57 -0700 (PDT)
Received: from lhreml703-chm.china.huawei.com (unknown [172.18.7.106]) by Forcepoint Email with ESMTP id CAC42349C354E84583AC; Sat, 16 May 2020 08:29:55 +0100 (IST)
Received: from nkgeml705-chm.china.huawei.com (10.98.57.154) by lhreml703-chm.china.huawei.com (10.201.108.52) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1913.5; Sat, 16 May 2020 08:29:55 +0100
Received: from nkgeml705-chm.china.huawei.com (10.98.57.154) by nkgeml705-chm.china.huawei.com (10.98.57.154) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1913.5; Sat, 16 May 2020 15:29:52 +0800
Received: from nkgeml705-chm.china.huawei.com ([10.98.57.154]) by nkgeml705-chm.china.huawei.com ([10.98.57.154]) with mapi id 15.01.1913.007; Sat, 16 May 2020 15:29:52 +0800
From: "Xiejingrong (Jingrong)" <xiejingrong@huawei.com>
To: Ron Bonica <rbonica@juniper.net>, Bob Hinden <bob.hinden@gmail.com>, "IPv6 List" <ipv6@ietf.org>
Subject: RE: Adoption Call for "The IPv6 Compact Routing Header (CRH)"
Thread-Topic: Adoption Call for "The IPv6 Compact Routing Header (CRH)"
Thread-Index: AQHWKwY/0UFCZZD8rUe0wQlW37HacqiqAKIQ//+Ra4CAAL7RYA==
Date: Sat, 16 May 2020 07:29:52 +0000
Message-ID: <31f1eb5680f748348198bd45e6576941@huawei.com>
References: <19D30186-B180-4F65-BF00-7AD07CEF3925@gmail.com> <92cff01e5eeb4a1e85357e61c8ca63fd@huawei.com> <DM6PR05MB63481D9765EA155C167778B4AEBA0@DM6PR05MB6348.namprd05.prod.outlook.com>
In-Reply-To: <DM6PR05MB63481D9765EA155C167778B4AEBA0@DM6PR05MB6348.namprd05.prod.outlook.com>
Accept-Language: en-US, zh-CN
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.45.163.108]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/2Mz3FfHMai2A_O67AbsILUMT8WI>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 May 2020 07:30:00 -0000

Hi Ron,
Thanks for the quick response. 
Let's move to the "Questions regarding the security mechanisms" thread for the security mechanism discussion.
(I have added some additional response mails there, including the difference of "CRH security model" and the "SRH security model" in my understanding)

Best regards
Jingrong

-----Original Message-----
From: Ron Bonica [mailto:rbonica@juniper.net] 
Sent: Saturday, May 16, 2020 12:05 PM
To: Xiejingrong (Jingrong) <xiejingrong@huawei.com>om>; Bob Hinden <bob.hinden@gmail.com>om>; IPv6 List <ipv6@ietf.org>
Subject: RE: Adoption Call for "The IPv6 Compact Routing Header (CRH)"

Jingrong,

The CRH security model is nearly identical to the SRH security model. In both cases, domain ingress nodes deploy ACLs that filter potentially harmful packets.

In the case of the SRH, ACLs filter packets addressed to SIDs in the network interior. In the case of CRH, ACLs filter packets that contain the CRH and are addressed to interfaces in the network interior.

In both cases, the processing node can be assured that the Routing header (SRH or CRH) came from a trusted source inside of the network.

                                                                   Ron


Juniper Business Use Only

-----Original Message-----
From: ipv6 <ipv6-bounces@ietf.org> On Behalf Of Xiejingrong (Jingrong)
Sent: Friday, May 15, 2020 10:43 PM
To: Bob Hinden <bob.hinden@gmail.com>om>; IPv6 List <ipv6@ietf.org>
Subject: RE: Adoption Call for "The IPv6 Compact Routing Header (CRH)"

[External Email. Be cautious of content]


Hi WG,
My main concern is the security aspect.
It has been in discussion in another thread "Questions regarding the security mechanisms".
Hope it could be carefully considered and discussed, especially there is the painful example of RH0 deprecated by RFC5095.
There is of course RFC6554 and RFC8754 which is designed later after the deprecation and which could be carefully learned and referenced.

Ole said and repeated that "In fact I don't see how the CRH draft prevents the RFC5095 attack to happen inside of the CRH limited domain."
https://urldefense.com/v3/__https://mailarchive.ietf.org/arch/msg/ipv6/UyXsGeI7IDM9_Z1lipG70gIzTLY/__;!!NEt6yMaO-gk!XNBw5zIRuL9n6EU2w2SwjVeEwumn_mwyb7jKLAdahntyDvjhPixAv0cv2DEng7f6$

I was even worried about whether such attack could happen from Internet if there is no mandatory and deployable security mechanism on the wide boundary of a network.

Brian observed the "limited-domain" pattern that is widely used in modern protocol design and put the heavy emphasis on the domain boundary security.
https://urldefense.com/v3/__https://tools.ietf.org/html/draft-carpenter-limited-domains-13__;!!NEt6yMaO-gk!XNBw5zIRuL9n6EU2w2SwjVeEwumn_mwyb7jKLAdahntyDvjhPixAv0cv2CLne-AK$

The RFC8754 section 5.1 IMO is the only boundary security mechanism operable/controllable/deployable so far I've seen for an IPv6 network that is widely connected to Internet.
Please correct me if you have some other better ones.
https://urldefense.com/v3/__https://tools.ietf.org/html/rfc8754__;!!NEt6yMaO-gk!XNBw5zIRuL9n6EU2w2SwjVeEwumn_mwyb7jKLAdahntyDvjhPixAv0cv2JoLLr1M$

BTW:
I don't think it deserved to throw away everything that SRv6/SRH have worked out (e.g., the RFC8754 section 5.1) just to claim the independence on them.
I have an I-D of IPv6-EH using many of the design patterns of SRv6/SRH with a reference to RFC8754 but I still insist and show its independent part.

Thanks and Best wishes,
Jingrong

-----Original Message-----
From: ipv6 [mailto:ipv6-bounces@ietf.org] On Behalf Of Bob Hinden
Sent: Saturday, May 16, 2020 6:14 AM
To: IPv6 List <ipv6@ietf.org>
Cc: Bob Hinden <bob.hinden@gmail.com>
Subject: Adoption Call for "The IPv6 Compact Routing Header (CRH)"

This message starts a two-week 6MAN call on adopting:

 Title:          The IPv6 Compact Routing Header (CRH)
 Authors:        R. Bonica, Y. Kamite, T. Niwa, A. Alston, L. Jalil
 File Name:      draft-bonica-6man-comp-rtg-hdr-21
 Document date:  2020-05-14

 https://urldefense.com/v3/__https://tools.ietf.org/html/draft-bonica-6man-comp-rtg-hdr__;!!NEt6yMaO-gk!XNBw5zIRuL9n6EU2w2SwjVeEwumn_mwyb7jKLAdahntyDvjhPixAv0cv2LW9qoun$

as a working group item. Substantive comments regarding adopting this document should be directed to the mailing list.  Editorial suggestions can be sent to the authors.

Please note that this is an adoption call, it is not a w.g. last call for advancement, adoption means that it will become a w.g. draft.  As the working group document, the w.g. will decide how the document should change going forward.

This adoption call will end on 29 May 2020.

The chairs note there has been a lot of discussions on the list about this draft.   After discussing with our area directors, we think it is appropriate to start a working group adoption call.  The authors have been active in resolving issues raised on the list.

Could those who are willing to work on this document, either as contributors, authors or reviewers please notify the list.   That gives us an indication of the energy level in the working group
to work on this.

Regards,
Bob and Ole


--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/ipv6__;!!NEt6yMaO-gk!XNBw5zIRuL9n6EU2w2SwjVeEwumn_mwyb7jKLAdahntyDvjhPixAv0cv2NhaaFJ2$
--------------------------------------------------------------------