IETF Logo Mail Archive

RE: Questions regarding the security mechanisms//RE: CRH and RH0

Ron Bonica <rbonica@juniper.net> Fri, 15 May 2020 23:15 UTC

Return-Path: <rbonica@juniper.net>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 350103A0C23 for <ipv6@ietfa.amsl.com>; Fri, 15 May 2020 16:15:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.272
X-Spam-Level:
X-Spam-Status: No, score=-2.272 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.173, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net header.b=cc8b44xx; dkim=pass (1024-bit key) header.d=juniper.net header.b=Xd5goiov
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5gzM5g0_o7ze for <ipv6@ietfa.amsl.com>; Fri, 15 May 2020 16:15:22 -0700 (PDT)
Received: from mx0b-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B30D53A0A18 for <6man@ietf.org>; Fri, 15 May 2020 16:15:22 -0700 (PDT)
Received: from pps.filterd (m0108157.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 04FN80BO015839; Fri, 15 May 2020 16:15:10 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=PPS1017; bh=Zwblg7+7kJVoA2sbfrtMto/4N3eD4ybEwqs2Qe6Y/Po=; b=cc8b44xxFhsDPN5y9FpA/qTXqvypPPmYKkr2hINcyp0x2petf+uyZScvSi8jH9LREQhP NV0Kpiu/JlDwsecE0sjUkpuhliZsJMeGHUB8KMK+e4/qX+N+tKtDPePG2PBAMvFJ5TEC RKXbQthR5uS5gRKwUo/k+yQcR/BpYcD1zuGvmgTT8/nq9h2F5ubOkTEB6ZqAsUfVTDs4 sxRGxQw6+YG/QewVUP+9/WKcIFCfRl1NoxiyC1grFsS/Olmi2G4540rdjlZ3iWjatUOX BURau11VYXyOVyA6Jdyt+s7N4ZcsveuDCTJShcCCIKnb1Cy9Q6v7wVSlf5K789XKtr0m ZA==
Received: from nam11-bn8-obe.outbound.protection.outlook.com (mail-bn8nam11lp2174.outbound.protection.outlook.com [104.47.58.174]) by mx0a-00273201.pphosted.com with ESMTP id 3100ygfau3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 15 May 2020 16:15:10 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=cEzNFA31XofXhWfrNjzj4gq3dXX99+vsZWZLvzNVygwrcpemnpgGwvojbBtGcmAXSKEjGmkgfi7ttYWRYMvecVN3QRmmEfaRzJlcBqThIcph5oZmELrQ9cflHuplNiZLqx7+/nqsNG3vmHr+qmkPIDllsT4HYD7mcdjkjhHHYZ+NvqFLu18C7ky9H0zA6D8mVMZvVv0n01TmUA+w/sDluS15h91p3rB1LB6vBahodYZGKTy0hH3Jy4qvzJMrVaoyQwMYKD6NAGEseH/wqik3S/79jkKfsW4aaMicMApvNFeQktyLLlK9qMOQ4kOH4ZQvNUcIl9lJ/4S/uxbxVzMZXg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Zwblg7+7kJVoA2sbfrtMto/4N3eD4ybEwqs2Qe6Y/Po=; b=h9LF3KnvqcBhspMZLgEfMTita+1lLWeNyDo3z4L8Ka0cxfPv15ROhD4nYrnRqK3kmf3Fz2MH04V36nkekNzLOKBrna7TzNLu9RQfZj3oD5qLbhI5BEjK3ToYX4rp7/fNXRpoDb/fuOy1g43iIJcc1NbdPzHETV4q/99gw4WR+c8r7370Bymrm9wYkS2+HlXwv8ObYQk6k3AdvNJKoEL6Q4Fi3Pxa9Dezwg8TvD+nydNU7vb4wh/Aw4VcyMKjKbhLkVNLsHEZqMSU4UsJeI2aPHOM/UPyeiEiUbbAtcvCmeQawIv9bnuPydZ50yd2negtjTxM+QwOEecshMTlQnKewg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=juniper.net; dmarc=pass action=none header.from=juniper.net; dkim=pass header.d=juniper.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Zwblg7+7kJVoA2sbfrtMto/4N3eD4ybEwqs2Qe6Y/Po=; b=Xd5goiovDpX3uhRYPhXJqca3pQw25pwrLuy5u1Yi7wehndeR42+TQUEFe6eym66yzgmj18LXU9XPCTI+tE3DcX9pUluNTzkAjoK8DWMCdXxBSD3re0+ekPnaNaTf/nAyBafjPCTFyZNaQZRu7elQAMST6AF9ITr2aUwOGAHDjts=
Received: from DM6PR05MB6348.namprd05.prod.outlook.com (2603:10b6:5:122::15) by DM6PR05MB4122.namprd05.prod.outlook.com (2603:10b6:5:8a::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3000.14; Fri, 15 May 2020 23:15:07 +0000
Received: from DM6PR05MB6348.namprd05.prod.outlook.com ([fe80::c020:3bf5:7230:75e3]) by DM6PR05MB6348.namprd05.prod.outlook.com ([fe80::c020:3bf5:7230:75e3%4]) with mapi id 15.20.3021.010; Fri, 15 May 2020 23:15:07 +0000
From: Ron Bonica <rbonica@juniper.net>
To: Tom Herbert <tom@herbertland.com>
CC: qinfengwei <qinfengwei@chinamobile.com>, "Xiejingrong (Jingrong)" <xiejingrong@huawei.com>, Bob Hinden <bob.hinden@gmail.com>, "Darren Dukes (ddukes)" <ddukes@cisco.com>, 6man <6man@ietf.org>
Subject: RE: Questions regarding the security mechanisms//RE: CRH and RH0
Thread-Topic: Questions regarding the security mechanisms//RE: CRH and RH0
Thread-Index: AdYqA0uTBELEk8r7RxOFOlq1QjWhwwAniBKgABOLx4AAA6/ZAAAEDHVw
Date: Fri, 15 May 2020 23:15:07 +0000
Message-ID: <DM6PR05MB6348935A30A3CD5E55D4CDE3AEBD0@DM6PR05MB6348.namprd05.prod.outlook.com>
References: <23488ea0d4eb474c9d7155086f940dae@huawei.com> <006c01d62aa1$8c195520$a44bff60$@com> <DM6PR05MB634863122645FD4981B97F71AEBD0@DM6PR05MB6348.namprd05.prod.outlook.com> <CALx6S35thGuTgTmCFozU=3MULW8V95OwA5GdqQ7OGrA-agR7Hw@mail.gmail.com>
In-Reply-To: <CALx6S35thGuTgTmCFozU=3MULW8V95OwA5GdqQ7OGrA-agR7Hw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Enabled=true; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SetDate=2020-05-15T23:15:06Z; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Method=Standard; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Name=0633b888-ae0d-4341-a75f-06e04137d755; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SiteId=bea78b3c-4cdb-4130-854a-1d193232e5f4; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_ActionId=af379706-fc1f-40a2-87f3-0a6d2516ecfd; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_ContentBits=2
dlp-product: dlpe-windows
dlp-version: 11.4.0.45
dlp-reaction: no-action
authentication-results: herbertland.com; dkim=none (message not signed) header.d=none;herbertland.com; dmarc=none action=none header.from=juniper.net;
x-originating-ip: [108.28.233.91]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 3357731d-f3ef-4095-bc05-08d7f925cee8
x-ms-traffictypediagnostic: DM6PR05MB4122:
x-microsoft-antispam-prvs: <DM6PR05MB4122250F918496C1BBBB12ABAEBD0@DM6PR05MB4122.namprd05.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 04041A2886
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: AMZf1ZLXvc5F8XXUcCPUaUlqqRS0EK7h8gfZWA+ukCWfDGWrvB91CF91KugGsEWhqFFjbOC2oc5YJX3C6/ATjYEBvJeDdksCNeXntlgqtMoZ+x3XtrPCHVMFCXy34XR12PQh5MLwMuloXeWYgutkMmIdgdYCLPYKx1B793iu6Uzgezzw2TAlRxv/i56+p0CnW0t5QEqJ0fds0OvlztGq3++HSqUgha4+329ravSSD9iiAMrF3ZmXMR2K5xj8crJ94CTF9WwxYdZdNncduO7u6gSgX5h2LxPfhUHzV2s9wuZ1vqxVhJKK1vn49ARk7XMSgLQ4uwDdY7FQPbAQ8iaYut3bsYH0RQpfINz0VAL74ijt9pkoollnOmaTtSuATLfAXUYHsxb5RzoPjfSlAcYBn3qSmzY2zadZ/gTIyaLvjheuXs4D1b4wVHlCtTtDEAVAxyf+HDXTVqp8NIF10kCJIvEXyf08ai57Ug4Sr8vmk7lxpCGwhNHwz0XVsXhU/w4KmQHIkqPTSdITb9IHtSujnw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR05MB6348.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(366004)(346002)(376002)(136003)(396003)(39860400002)(55016002)(6916009)(53546011)(54906003)(478600001)(6506007)(8936002)(66574014)(186003)(52536014)(71200400001)(86362001)(15650500001)(30864003)(966005)(26005)(9686003)(316002)(4326008)(76116006)(2906002)(64756008)(66446008)(8676002)(66556008)(66476007)(5660300002)(66946007)(33656002)(7696005); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: FYCCBP7p2O4w1HPEX0Nn8KIrxkwiyPa3gM6YFl+MvaQQDtmGu7J8pVvzuwrzyiPUYqS8ovTioIWSAd+2hpGEbBaNvIGp07P9ckmF6o8ZP6lKFp1Vu2Jzg0YRABXTA30dOxTZjms2MoHfLU9jJ4RmQCEmL+QOeXsJ7cK50di5JX6Q+z9pPrkJSJj5P5RcYjoL2wL4LH723FTSp4c8LPSKJzVR2q3OBea2RYNYW6Y9DkOa78vh13e8r7FiAFM7BsDoWNnmGdCjM/N+C1vn3tjDMi1Hft6Ihx/4pL6EaJyJ20xv/VI0rkXvq94nqzo5EzGHCZ7p2cta36wUNz8HgVoBrYfeGqhLhD6RPemvYyVfzJC8wjcX2x7XFxLB4WaWuj7Gahf3B+wURXR2dwXyxV1zaBwgSf8cFHHms4w1RzVtLRap6cU2imo8L616zGaeCdEY9W44DsAnXGpy++n9QnK5NjS4fNQ5kTUIm1r0ocFF321VyExT/3YIuU+BQl5FRfKs
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: 3357731d-f3ef-4095-bc05-08d7f925cee8
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 May 2020 23:15:07.5460 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: DC4pn6tF0qCMYN4T12Nfg3cnJwPkgZFTw984GD10YuNxJHXhLUJ6rEeBURkOWaF9riOnaugoI8wII6Yjmkn5Fw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR05MB4122
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.216, 18.0.676 definitions=2020-05-15_07:2020-05-15, 2020-05-15 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 malwarescore=0 mlxscore=0 suspectscore=0 clxscore=1011 lowpriorityscore=0 mlxlogscore=999 priorityscore=1501 cotscore=-2147483648 impostorscore=0 bulkscore=0 adultscore=0 phishscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2004280000 definitions=main-2005150195
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/gWKFjK6-6Li43b2BeejU8Q-mmTk>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 May 2020 23:15:27 -0000

Tom,

You may be right. If so, I can change the "MUST" to a "must" or some weaker language.

                                                                                Ron



Juniper Business Use Only

-----Original Message-----
From: Tom Herbert <tom@herbertland.com> 
Sent: Friday, May 15, 2020 5:18 PM
To: Ron Bonica <rbonica@juniper.net>
Cc: qinfengwei <qinfengwei@chinamobile.com>; Xiejingrong (Jingrong) <xiejingrong@huawei.com>; Bob Hinden <bob.hinden@gmail.com>; Darren Dukes (ddukes) <ddukes@cisco.com>; 6man <6man@ietf.org>
Subject: Re: Questions regarding the security mechanisms//RE: CRH and RH0

[External Email. Be cautious of content]


On Fri, May 15, 2020 at 1:09 PM Ron Bonica <rbonica=40juniper.net@dmarc.ietf.org> wrote:
>
> Fengwei, Jingrong,
>
> Your raise excellent questions, and I will try to address them.
>
> In 2007,  security researchers demonstrated that Routing headers can be used attack vectors. See the following slide deck:
>
> - 
> https://urldefense.com/v3/__http://www.secdev.org/conf/IPv6_RH_securit
> y-csw07.pdf__;!!NEt6yMaO-gk!RXRmCM10rpZicnSnW7u-m0uiPwgTImGuFxUCtbxXoX
> RK1jT8xXDLt1kHNlNgKX1y$
>
> Therefore, we conclude that if a network contains nodes that process the CRH, it MUST deploy ACLs at its edge. These ACLs:

Ron,

That raises an interesting question. Can a protocol specification have a normative MUST requirement for correctness or security that is dependent on completely external properties? If this is saying that the ACLs are implemented as part of the CRH datapath then tht might be reasonable, but if this is saying that ACLs must be deployed at every possible edge node outside of the CRH processing that doesn't seem like it could be a MUST in a protocol specification (and this might be coming close to the general but effectively useless requirement that the underlying network MUST be secure and correct for the protocol to be secure and correct).

Also, I think you might want to mention that AH should be used to protect the routing header when security is a concern. AH is part of the protocol suite and doesn't depend on external factors other than what's happening at the end points. Normative requirements are appropriate for security via AH.

Tom

>         - MUST be sufficiently restrictive to filter harmful packets
>         - SHOULD NOT be so restrictive that they filter harmless packets.
>
> Therefore, the network SHOULD filter packets that satisfy all of the following criteria:
>
>         - The Destination Address field in the IPv6 header represents an interface that resides inside of the network.
>         - The packet contains a CRH
>         - The Segments Left field is greater than 0
>
> We understand that many networks cannot filter on such a granular basis. Therefore, they MAY deploy ACLs that filter a superset of the packets described above. For example, they may:
>
>         - Filter all packets where the Destination Address field in the IPv6 header represents an interface inside of the network. (Many network already do this).
>         - Filter all packets that contain a CRH and where the Destination Address field in the IPv6 header represents an interface inside of the network.
>         - Filter all packets that contain a CRH
>
>
> I hope that this helps.
>
>                                                                        
> Ron
>
>
>
>
>
> Juniper Business Use Only
>
> -----Original Message-----
> From: qinfengwei <qinfengwei@chinamobile.com>
> Sent: Friday, May 15, 2020 6:14 AM
> To: 'Xiejingrong (Jingrong)' <xiejingrong@huawei.com>; Ron Bonica 
> <rbonica@juniper.net>; 'Bob Hinden' <bob.hinden@gmail.com>; 'Darren 
> Dukes (ddukes)' <ddukes@cisco.com>
> Cc: '6man' <6man@ietf.org>
> Subject: 答复: Questions regarding the security mechanisms//RE: CRH and 
> RH0
>
> [External Email. Be cautious of content]
>
>
> Hi Ron and authors,
>
> As a operator, Security is one of the most important factors in whether a solution could be implemented.
> It is hoped that the security aspects will be carefully considered.
>
>
> Thanks,
> Fengwei Qin
>
> -----邮件原件-----
> 发件人: ipv6 [mailto:ipv6-bounces@ietf.org] 代表 Xiejingrong (Jingrong)
> 发送时间: 2020年5月14日 23:19
> 收件人: Ron Bonica; Bob Hinden; Darren Dukes (ddukes)
> 抄送: 6man
> 主题: Questions regarding the security mechanisms//RE: CRH and RH0
>
> Hi Ron and authors,
> I haven't found much change about the security mechanisms in the latest revision of this draft.
> So here are some questions I have so far on this aspect (based on the
> rev-18):
>
> 9.  Security Considerations
>
>    Networks that process the CRH MUST NOT accept packets containing the
>    CRH from untrusted sources.  Their border routers SHOULD discard
>    packets that satisfy the following criteria:
>
>    o  The packet contains a CRH
>
>    o  The Segments Left field in the CRH has a value greater than 0
>
>    o  The Destination Address field in the IPv6 header represents an
>       interface that resides inside of the network.
>
>    Many border routers cannot filter packets based upon the Segments
>    Left value.  These border routers MAY discard packets that satisfy
>    the following criteria:
>
>    o  The packet contains a CRH
>
>    o  The Destination Address field in the IPv6 header represents an
>       interface that resides inside of the network.
>
> [Q1] Do the words 'SHOULD' and 'MAY' mean the protection for boundary is optional? Or there is no "limited domain" boundary for the CRH ?
>     If this is optional, Is it possible for a packet to be constructed and sent from internet such that it will oscillate between two CRH routers many times ?
>
> [Q2] Does the word 'MAY' mean a router cannot filter packets based upon the SL value, but may filter packets contains a CRH ?
>     Judging a packets contains a CRH means judging a packet contains a RH and "Routing Type" field == 5/6;
>     Judging a packet whether the SL is greater than 0 means judging a packet contains a RH and "SL" field !=0;
>     I failed to see why a router could do the first one but couldn't do the second one.
>     Besides, could the above two judgements be executed on a border router if there is a HBH before the RH ?
>
> [Q3] How to judge the "DA represents an interface that resides inside of the network"? suppose the following diagram:
>
> [Internet--------BorderRouter------CRHrouter1------intermediateRouters
> ------
> CRHrouter2]
>     A packet (SA=internet, DA=CRHrouter1) (CRH SL=1, 
> SID[0]=CRHrouter2,
> SID[1]=CRHrouter1) is received by BorderRouter.
>     In this case, the DA = CRHrouter1 means "an interface that resides inside of the network" ?
>     If there are 1000 routers say CRHrouter1/2/.../1000, will you consider to use an IPv6 address block (like 5.1 of RFC8754) for this judgement ?
>
> Best Regards
> Jingrong
>
>
> -----Original Message-----
> From: ipv6 [mailto:ipv6-bounces@ietf.org] On Behalf Of Ron Bonica
> Sent: Thursday, May 14, 2020 2:28 AM
> To: Bob Hinden <bob.hinden@gmail.com>; Darren Dukes (ddukes) 
> <ddukes=40cisco.com@dmarc.ietf.org>
> Cc: 6man <6man@ietf.org>
> Subject: RE: CRH and RH0
>
> Bob,
>
> I just posted version 16:
>
> - tracker: 
> https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-bon
> ica-6man-comp-rtg-hdr/__;!!NEt6yMaO-gk!R-fnImTVyM67P-81jr0JY3of_Uz_pmd
> 0wjQJ3k1_gpkWaCkOaUNjSjjhrgxsyuQh$
> - diff: 
> https://urldefense.com/v3/__https://www.ietf.org/rfcdiff?url2=draft-bo
> nica-6man-comp-rtg-hdr-16__;!!NEt6yMaO-gk!R-fnImTVyM67P-81jr0JY3of_Uz_
> pmd0wjQJ3k1_gpkWaCkOaUNjSjjhrvB84OMK$
>
> It removes all references to RH0 and is more explicit about operating inside of a network domain for security reasons.
>
> I still see a use case for the 32-bit SID, so I left that in the draft.
>
>                                                                     
> Ron
>
>
> Juniper Business Use Only
>
> -----Original Message-----
> From: Bob Hinden <bob.hinden@gmail.com>
> Sent: Wednesday, May 13, 2020 1:29 PM
> To: Darren Dukes (ddukes) <ddukes=40cisco.com@dmarc.ietf.org>
> Cc: Bob Hinden <bob.hinden@gmail.com>; Ron Bonica 
> <rbonica@juniper.net>; 6man <6man@ietf.org>
> Subject: Re: CRH and RH0
>
> Hi,
>
> > On May 13, 2020, at 10:16 AM, Darren Dukes (ddukes)
> <ddukes=40cisco.com@dmarc.ietf.org> wrote:
> >
> > Hi Ron,
> >
> > I'm still trying to figure out where you're going with this.
> > First it was SRm6, then an RH0 replacement, then not an RH0 
> > replacement
> (in the 6man meeting), then it sort of is...
> >
> > So I'm hoping you'll update the draft so I can understand a bit more:
> > - CRH has nothing to do with RH0.
> > - CRH operates only within a limited domain.
>
> I think these are reasonable suggestions.
>
> I also think only having one size would be helpful.
>
> Bob
>
>
> >
> > Anything else to clarify from others comments would help too.
> >
> > Thanks
> >   Darren
> >
> >> On May 12, 2020, at 5:36 PM, Ron Bonica <rbonica@juniper.net> wrote:
> >>
> >> Ole, Darren,
> >>
> >> The CRH is a general purpose Routing header that operates inside of 
> >> a
> network domain. In the sense that it is a general purpose routing header, it replaces RH0. In the sense that it is restricted to a network domain, it does not replace RH0.
> >>
> >> If adding these two sentences will cause you to support the draft, 
> >> or at
> least not object to it, I will happily add them!
> >>
> >> Are these the only objections?
> >>
> >>
> Ron
> >>
> >>
> >>
> >> Juniper Business Use Only
> >>
> >> -----Original Message-----
> >> From: otroan@employees.org <otroan@employees.org>
> >> Sent: Tuesday, May 12, 2020 4:38 PM
> >> To: Ron Bonica <rbonica@juniper.net>
> >> Cc: Darren Dukes (ddukes) <ddukes@cisco.com>; 6man <6man@ietf.org>
> >> Subject: Re: CRH and RH0
> >>
> >> [External Email. Be cautious of content]
> >>
> >>
> >> Hi Ron,
> >>
> >>
> >>> The answer to your question is a bit nuanced. My goals were to 
> >>> build a
> general purpose routing header that overcomes the RH0's limitations. 
> Those
> being:
> >>>
> >>>      - Its size
> >>>      - Its security issues
> >>>
> >>> Now, is that a replacement for RH0? In one way, yes. RH0 and CRH 
> >>> are
> both general purpose routing headers. In another sense, no. RH0 is meant to traverse network boundaries. But RFC 5095 taught us that letting routing header traverse network boundaries might not be a wonderful idea. So, CRH is restricted to a network domain.
> >>
> >> If CRH could be a RH0 replacement, you would have to show how the 
> >> tag
> distribution mechanism would work across the Internet?
> >> RH0 was supported in every IPv6 node, given the requirement for a
> tag->IPv6 address (or is it forwarding method) mapping, I can't quite 
> tag->see
> how that would be done in a general enough fashion for CRH?
> >>
> >> I don't think RFC5095 taught us that source routing cannot be done 
> >> across
> the Internet.
> >> In fact I don't see how the CRH draft prevents the RFC5095 attack 
> >> to
> happen inside of the CRH limited domain.
> >> Just send a packet with a list of tag#0, tag#1, tag#0, tag#1 and 
> >> you have
> the same amplification attack.
> >>
> >>> And now I return to my original question. When engineering 
> >>> students read
> the CRH RFC in 25 years, will they really care what my motivation was? Why should we burden them with this detail?
> >>
> >> To the contrary. Take the motivations and intentions behind IPv6. 
> >> We have
> spent thousands of emails trying to decode what the original 
> intensions with EHs and their limitations were, why the minimum MTU 
> was 1280, recently I saw a thread about the reasons for why TTL/HL and 
> protocol/next header was swapped between v4 and v6. If your protocol 
> is successful, the original napkin it was designed on will become 
> legend. ;-)
> >>
> >> Best regards,
> >> Ole
> >
> > --------------------------------------------------------------------
> > IETF IPv6 working group mailing list ipv6@ietf.org Administrative 
> > Requests:
> > https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/ip
> > v6 
> > __;!!NEt6yMaO-gk!R-fnImTVyM67P-81jr0JY3of_Uz_pmd0wjQJ3k1_gpkWaCkOaUN
> > jS
> > jjhrpNNsnwO$
> > --------------------------------------------------------------------
>
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: 
> https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/ipv6
> __;!!NEt6yMaO-gk!R-fnImTVyM67P-81jr0JY3of_Uz_pmd0wjQJ3k1_gpkWaCkOaUNjS
> jjhrpNNsnwO$
> --------------------------------------------------------------------
>
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: 
> https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/ipv6
> __;!!NEt6yMaO-gk!R-fnImTVyM67P-81jr0JY3of_Uz_pmd0wjQJ3k1_gpkWaCkOaUNjS
> jjhrpNNsnwO$
> --------------------------------------------------------------------
>
>
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: 
> https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/ipv6
> __;!!NEt6yMaO-gk!RXRmCM10rpZicnSnW7u-m0uiPwgTImGuFxUCtbxXoXRK1jT8xXDLt
> 1kHNvnXgnUB$
> --------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email