RE: Adoption Call for "The IPv6 Compact Routing Header (CRH)"

["Xiejingrong (Jingrong)" <xiejingrong@huawei.com>]

Hi Ron,
Thanks for the quick response. 
Let's move to the "Questions regarding the security mechanisms" thread for the security mechanism discussion.
(I have added some additional response mails there, including the difference of "CRH security model" and the "SRH security model" in my understanding)

Best regards
Jingrong

-----Original Message-----
From: Ron Bonica [mailto:rbonica@juniper.net] 
Sent: Saturday, May 16, 2020 12:05 PM
To: Xiejingrong (Jingrong) <xiejingrong@huawei.com>; Bob Hinden <bob.hinden@gmail.com>; IPv6 List <ipv6@ietf.org>
Subject: RE: Adoption Call for "The IPv6 Compact Routing Header (CRH)"

Jingrong,

The CRH security model is nearly identical to the SRH security model. In both cases, domain ingress nodes deploy ACLs that filter potentially harmful packets.

In the case of the SRH, ACLs filter packets addressed to SIDs in the network interior. In the case of CRH, ACLs filter packets that contain the CRH and are addressed to interfaces in the network interior.

In both cases, the processing node can be assured that the Routing header (SRH or CRH) came from a trusted source inside of the network.

                                                                   Ron


Juniper Business Use Only

-----Original Message-----
From: ipv6 <ipv6-bounces@ietf.org> On Behalf Of Xiejingrong (Jingrong)
Sent: Friday, May 15, 2020 10:43 PM
To: Bob Hinden <bob.hinden@gmail.com>; IPv6 List <ipv6@ietf.org>
Subject: RE: Adoption Call for "The IPv6 Compact Routing Header (CRH)"

[External Email. Be cautious of content]


Hi WG,
My main concern is the security aspect.
It has been in discussion in another thread "Questions regarding the security mechanisms".
Hope it could be carefully considered and discussed, especially there is the painful example of RH0 deprecated by RFC5095.
There is of course RFC6554 and RFC8754 which is designed later after the deprecation and which could be carefully learned and referenced.

Ole said and repeated that "In fact I don't see how the CRH draft prevents the RFC5095 attack to happen inside of the CRH limited domain."
https://urldefense.com/v3/__https://mailarchive.ietf.org/arch/msg/ipv6/UyXsGeI7IDM9_Z1lipG70gIzTLY/__;!!NEt6yMaO-gk!XNBw5zIRuL9n6EU2w2SwjVeEwumn_mwyb7jKLAdahntyDvjhPixAv0cv2DEng7f6$

I was even worried about whether such attack could happen from Internet if there is no mandatory and deployable security mechanism on the wide boundary of a network.

Brian observed the "limited-domain" pattern that is widely used in modern protocol design and put the heavy emphasis on the domain boundary security.
https://urldefense.com/v3/__https://tools.ietf.org/html/draft-carpenter-limited-domains-13__;!!NEt6yMaO-gk!XNBw5zIRuL9n6EU2w2SwjVeEwumn_mwyb7jKLAdahntyDvjhPixAv0cv2CLne-AK$

The RFC8754 section 5.1 IMO is the only boundary security mechanism operable/controllable/deployable so far I've seen for an IPv6 network that is widely connected to Internet.
Please correct me if you have some other better ones.
https://urldefense.com/v3/__https://tools.ietf.org/html/rfc8754__;!!NEt6yMaO-gk!XNBw5zIRuL9n6EU2w2SwjVeEwumn_mwyb7jKLAdahntyDvjhPixAv0cv2JoLLr1M$

BTW:
I don't think it deserved to throw away everything that SRv6/SRH have worked out (e.g., the RFC8754 section 5.1) just to claim the independence on them.
I have an I-D of IPv6-EH using many of the design patterns of SRv6/SRH with a reference to RFC8754 but I still insist and show its independent part.

Thanks and Best wishes,
Jingrong

-----Original Message-----
From: ipv6 [mailto:ipv6-bounces@ietf.org] On Behalf Of Bob Hinden
Sent: Saturday, May 16, 2020 6:14 AM
To: IPv6 List <ipv6@ietf.org>
Cc: Bob Hinden <bob.hinden@gmail.com>
Subject: Adoption Call for "The IPv6 Compact Routing Header (CRH)"

This message starts a two-week 6MAN call on adopting:

 Title:          The IPv6 Compact Routing Header (CRH)
 Authors:        R. Bonica, Y. Kamite, T. Niwa, A. Alston, L. Jalil
 File Name:      draft-bonica-6man-comp-rtg-hdr-21
 Document date:  2020-05-14

 https://urldefense.com/v3/__https://tools.ietf.org/html/draft-bonica-6man-comp-rtg-hdr__;!!NEt6yMaO-gk!XNBw5zIRuL9n6EU2w2SwjVeEwumn_mwyb7jKLAdahntyDvjhPixAv0cv2LW9qoun$

as a working group item. Substantive comments regarding adopting this document should be directed to the mailing list.  Editorial suggestions can be sent to the authors.

Please note that this is an adoption call, it is not a w.g. last call for advancement, adoption means that it will become a w.g. draft.  As the working group document, the w.g. will decide how the document should change going forward.

This adoption call will end on 29 May 2020.

The chairs note there has been a lot of discussions on the list about this draft.   After discussing with our area directors, we think it is appropriate to start a working group adoption call.  The authors have been active in resolving issues raised on the list.

Could those who are willing to work on this document, either as contributors, authors or reviewers please notify the list.   That gives us an indication of the energy level in the working group
to work on this.

Regards,
Bob and Ole


--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/ipv6__;!!NEt6yMaO-gk!XNBw5zIRuL9n6EU2w2SwjVeEwumn_mwyb7jKLAdahntyDvjhPixAv0cv2NhaaFJ2$
--------------------------------------------------------------------