IETF Logo Mail Archive

Re: Segment Routing Drafts

Tom Herbert <tom@herbertland.com> Sat, 02 March 2019 00:39 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71A96131032 for <ipv6@ietfa.amsl.com>; Fri, 1 Mar 2019 16:39:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P57mPslRRWwJ for <ipv6@ietfa.amsl.com>; Fri, 1 Mar 2019 16:39:54 -0800 (PST)
Received: from mail-qt1-x833.google.com (mail-qt1-x833.google.com [IPv6:2607:f8b0:4864:20::833]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 14D6012DF71 for <ipv6@ietf.org>; Fri, 1 Mar 2019 16:39:54 -0800 (PST)
Received: by mail-qt1-x833.google.com with SMTP id d2so29933539qti.11 for <ipv6@ietf.org>; Fri, 01 Mar 2019 16:39:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=QEacqXbkIOVl3DZYDm3gPrSpF1iAjyyeM7hYbQyvmEQ=; b=YQ5vckPXvHGNQpaAUYRbk5/Wc9c4nt9l8YSsKXNQ22xjeMOpDDoRLSCFfX0hoSDlLS gxRODXb0Hv0NO2UwzFQiw/C3cQtjvkPylfbM8yi+B4mpSF+uXo8hgSRiWHX6ZWUj9B5a qaxJ90DT62MmtO+9u4+HnL0qjoOBDLDbE1DxrroR2whLY9WbOobZp+CZ2GPT8w+z/mP9 I39gMP9V01xsvgxyZXXm7U0VXg4TiLTz8VgNHEhpetveo3weE4J1/9jNJ1vZkPt9WTLB 8W8Z6nsCT9jSMVcRF3xxARVDgfmIUzUCnkSg0PW8Q3iPc+L2vQL2BrofGr/mXmzwjESu +ZHA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=QEacqXbkIOVl3DZYDm3gPrSpF1iAjyyeM7hYbQyvmEQ=; b=FemASPTo4xIIHOyXMyMzwZx+KIa194ow3hUZ3pYRblalq3JrZqSagR+uD6rZXLObGX YFB0GYmCQyBDMFkclwuMSzDhnwX4ar3csUvIOqxp3YXTMv7u/6l+LVWo0UmRgFctVjJW reobQFMrhjahPgY6mq8nNwJO+Wqu+rZWWvr2+bgovUblCjqXSDR0epaim71SlS71EQ/r jsH9o9ysOqS7EAVykasqHI8G8/yWahcIGlzi/AkRG7JZKUEh9JTJGcEPhM5ZlzgFzGks n/cToxh5izHgQV2HLVmfuWUOt7lecrh3L3afxLqoFPS/0/UjzGXeebqysyVljnZokj2j 7C/g==
X-Gm-Message-State: APjAAAVEbMT+kx+q+2pEde5oUIzv1OmkrVg1j4NrY/gJuOiMJmNsQu3r vdEowjxsvD8Ou058ExQDgAB5+Bt3wEQCsyeSHJawzQ==
X-Google-Smtp-Source: APXvYqyLm5zLG2A32jJUXyBb5VP0Pw4KgHec0mydKjptw3p1slMzRE5k68eYZpHFXZJyDgMjYfKcfzODiOs93p72zEs=
X-Received: by 2002:ac8:2c5a:: with SMTP id e26mr6225299qta.189.1551487192988; Fri, 01 Mar 2019 16:39:52 -0800 (PST)
MIME-Version: 1.0
References: <BYAPR05MB424560001F76E403A33B94E7AE750@BYAPR05MB4245.namprd05.prod.outlook.com> <341A6C5C-3670-4C8F-A8CA-C80182AC1F3C@gmail.com> <7dffddcd-a810-764e-3929-01d7b400c410@gmail.com>
In-Reply-To: <7dffddcd-a810-764e-3929-01d7b400c410@gmail.com>
From: Tom Herbert <tom@herbertland.com>
Date: Fri, 01 Mar 2019 16:39:41 -0800
Message-ID: <CALx6S37K-SbZOdmeu1vviDk2paEuyT4QXioXHq+Ok8WXVkfFVQ@mail.gmail.com>
Subject: Re: Segment Routing Drafts
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
Cc: Fred Baker <fredbaker.ietf@gmail.com>, Ron Bonica <rbonica=40juniper.net@dmarc.ietf.org>, IPv6 List <ipv6@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/3DbCiY5KNHhJVWFROYu8vI7LWcw>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 02 Mar 2019 00:39:57 -0000

On Fri, Mar 1, 2019 at 4:23 PM Brian E Carpenter
<brian.e.carpenter@gmail.com> wrote:
>
> On 02-Mar-19 11:25, Fred Baker wrote:
> >
> >
> >> On Feb 27, 2019, at 8:22 PM, Ron Bonica <rbonica=40juniper.net@dmarc.ietf.org> wrote:
> >> - https://datatracker.ietf.org/doc/draft-bonica-6man-oam/
> >
> > I read this draft, and was immediately puzzled. The OAM option is useful if and only if it is implemented and configured, and (per the security considerations) is a reason the packet should not be permitted to enter aa subsequent network.
>
> The text is confusing. It says:
>
>    Network operators should block packets containing these extension
>    headers at their boundary.
>
> I hope that that is meant to say:
>
>    Network operators should block packets containing the OAM option
>    at their boundary.
>
> Because clearly it is way out of scope for this draft to address
> firewall recommendations in general (which anyway are covered by
> draft-ietf-opsec-ipv6-eh-filtering, currently "Waiting_for_AD_Go-Ahead").
>
> > As such, it is only useful on a small subset of the systems it encounters, and only in the originating network.
> >
> > Am I reading this correctly?
>
> Well, if it is intended as part of the segment routing specs,
> that needs to be stated in the draft. If so, it presumably inherits
> the property of segment routing that it only works within a Segment
> Routing Domain (https://tools.ietf.org/html/rfc8402#page-6)
> and the OAM option would be blocked at the domain boundary.
>

Hi Brian,

I don't see how facility is specific to segment routing. It seems like
a more general OAM service. That's also true of the VPN Context
Information Option.

> Which is one of the motivations for draft-carpenter-limited-domains,
> of course.
>
As opposed to relying on an external firewall that may or may not
exist or being correctly configured to enforce a limited domain, I
suggest that the source itself should be responsible to decide whether
it's safe and feasible to use this option or any extension header to
some destination. Note that if the extension header is causing
problems, it's only the source that will be able to detect the problem
and take action (e.g. only the source node would receive an ICMP error
caused by an extension header).

Tom

>     Brian
>
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email