IETF Logo Mail Archive

Re: [IPv6] I-D Action: draft-ietf-6man-comp-rtg-hdr-00.txt

Brian E Carpenter <brian.e.carpenter@gmail.com> Tue, 02 January 2024 03:32 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27E4AC14F61D for <ipv6@ietfa.amsl.com>; Mon, 1 Jan 2024 19:32:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.197
X-Spam-Level:
X-Spam-Status: No, score=-2.197 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.091, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MyLZgiXIK7V8 for <ipv6@ietfa.amsl.com>; Mon, 1 Jan 2024 19:31:59 -0800 (PST)
Received: from mail-pf1-x431.google.com (mail-pf1-x431.google.com [IPv6:2607:f8b0:4864:20::431]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 419E0C14F5F6 for <ipv6@ietf.org>; Mon, 1 Jan 2024 19:31:59 -0800 (PST)
Received: by mail-pf1-x431.google.com with SMTP id d2e1a72fcca58-6d9b2c8e2a4so3636302b3a.0 for <ipv6@ietf.org>; Mon, 01 Jan 2024 19:31:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1704166318; x=1704771118; darn=ietf.org; h=content-transfer-encoding:in-reply-to:from:references:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=ozdDbMjUFAT23Z9yy693pCo8+Z7AHefM+k3Pw37YoRs=; b=bfuXhCqYJiBUaJMSWam9fuXX0aXjO90xcz/mD82GcARY31qUMhusyZWKE8aweuVFig jjlpPxE1yqHRi/7fPyq7NIU+CGpxAjc38FXMJn5FLEUjcb4+hvmIgHz8OGNOZdp2m3Ul YD2wiJAMFDKSSPIPfg61XMo8EleFibip/44Vn2IbvRNkRjBiMuT8DV6DvbBoIaKzHiWg zQ9yFJsN1WBv08S9ET3YvI/Xhi0zL8CyL9sPOI3roRqKC+930873cnxMNNYWnZpE9DIJ mswC4JsNpoFPajL0MxbvpjYg8oteRcnCsA07Q2RUTitYf9DvbgMSc97v7muMOGo0OBzB Jx7A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1704166318; x=1704771118; h=content-transfer-encoding:in-reply-to:from:references:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=ozdDbMjUFAT23Z9yy693pCo8+Z7AHefM+k3Pw37YoRs=; b=otgfCYKbjdsAQ+5m+KBMCnmnH2umthRmo7eQAbMER7eI4/SZtkqCn0KVOMBnQvM1lr bD9xEvou/64N9YDLJVOXPxJh/kvFVjnMfcBhxro+She9QsRjX7GmV0Od6/7YmQdN9uJ/ l3bHHzPxWYNyBZgpAY67foibBn/crGDefd82fUwYZKod2FGbIYNw+csHf1E0N2ncy0ee bbtsZmK6ReIpOulzuXpNdLxyx1z7HGPveZmKwg7Mnc9jVBgMTUH/dNFwOVzwXPvzYUW2 5YXIo5IUI0s/kd/0XfY+gE6aYKy69cVuQOnzqQC8xT3PvNRjbN4wxMVaDvUdiPR8TVzL Qvhw==
X-Gm-Message-State: AOJu0YynMqL2IArZWAvH+NbQXzPiACoPa1EGnkr84Yu12CMNNz9MUY0X e8ohOh+XmjIh8oDjlFiKtmI=
X-Google-Smtp-Source: AGHT+IG0VNA0kSTiGuobgbYeQ5VWp5XOV9RfTj6EL4FENFCQIQIciYj2xOJnpIC0EtBUW3HWEjj+lg==
X-Received: by 2002:aa7:86d0:0:b0:6d9:b1ef:add6 with SMTP id h16-20020aa786d0000000b006d9b1efadd6mr10823147pfo.35.1704166318225; Mon, 01 Jan 2024 19:31:58 -0800 (PST)
Received: from ?IPV6:2404:4400:541d:a600:44b7:2c2e:2bc6:8707? ([2404:4400:541d:a600:44b7:2c2e:2bc6:8707]) by smtp.gmail.com with ESMTPSA id fb35-20020a056a002da300b006d9bff075cfsm13059500pfb.33.2024.01.01.19.31.56 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 01 Jan 2024 19:31:57 -0800 (PST)
Message-ID: <c904bd6a-e923-510c-8cc7-896fe6ab24df@gmail.com>
Date: Tue, 02 Jan 2024 16:31:53 +1300
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.10.0
Content-Language: en-US
To: Ron Bonica <rbonica@juniper.net>, 6man <ipv6@ietf.org>
References: <170053011333.32052.5706592547401850235@ietfa.amsl.com> <270d8285-188a-5f1f-59e6-4dbca44e0a8a@gmail.com> <BL0PR05MB53164FA6956771FB8CD20E0CAE62A@BL0PR05MB5316.namprd05.prod.outlook.com>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
In-Reply-To: <BL0PR05MB53164FA6956771FB8CD20E0CAE62A@BL0PR05MB5316.namprd05.prod.outlook.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/5SvF26aOVgM5xbys80jsViZXUb0>
Subject: Re: [IPv6] I-D Action: draft-ietf-6man-comp-rtg-hdr-00.txt
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Jan 2024 03:32:04 -0000

Hi Ron,

That's really a question for a security expert. Inter-domain trust can be a pretty complex matter. Do you swap lists of trusted IP addresses with your trust partner? Or do you trust entire prefixes? Or would it be a list of FQDNs? Or does every host in
my.example.com trust every host in your.example.com?

Or are you asking for a cryptographically protected trust agreement?

Regards
    Brian

On 02-Jan-24 05:03, Ron Bonica wrote:
> Brian,
> 
> Good point! Could this issue be addressed by adding the following text to the beginning of the Security Considerations Section:
> 
> "In this document, a node that processes the CRH is in the same trust domain as another node if one of the following is true:
> 
> - Both nodes are operated by the same party.
> - Each node is operated by a different party and the two parties maintain a special trust agreement with regard to the CRH."
> 
>                                                                                       Ron
> 
> 
> Juniper Business Use Only
> -----Original Message-----
> From: ipv6 <ipv6-bounces@ietf.org> On Behalf Of Brian E Carpenter
> Sent: Monday, November 20, 2023 9:35 PM
> To: 6man <ipv6@ietf.org>
> Subject: Re: [IPv6] I-D Action: draft-ietf-6man-comp-rtg-hdr-00.txt
> 
> [External Email. Be cautious of content]
> 
> 
> Hi,
> 
> I am a bit puzzled. The vague referemce to a limited domain has gone, which is fine. But the only thing that relates to that issue is a statement in the Security Considerations that:
> 
> "... nodes MUST discard packets containing the CRH when both of the following conditions are true:
> 
> The Source Address does not identify an interface on a trusted node.
> 
> The Destination Address identifies an interface on the local node."
> 
> The term "trusted node" is not defined; in fact there is no discussion whatever of the trust model and how trust is established (and how forged source addresses are avoided). I think the chances of this draft surviving a Security Area review are very small.
> 
> Regards
>      Brian Carpenter
> 
> On 21-Nov-23 14:28, internet-drafts@ietf.org wrote:
>> Internet-Draft draft-ietf-6man-comp-rtg-hdr-00.txt is now available.
>> It is a work item of the IPv6 Maintenance (6MAN) WG of the IETF.
>>
>>      Title:   The IPv6 Compact Routing Header (CRH)
>>      Authors: Ron Bonica
>>               Yuji Kamite
>>               Andrew Alston
>>               Daniam Henriques
>>               Luay Jalil
>>      Name:    draft-ietf-6man-comp-rtg-hdr-00.txt
>>      Pages:   15
>>      Dates:   2023-11-20
>>
>> Abstract:
>>
>>      This document describes an experiment in which two new IPv6 Routing
>>      headers are implemented and deployed.  Collectively, they are called
>>      the Compact Routing Headers (CRH).  Individually, they are called
>>      CRH-16 and CRH-32.
>>
>>      One purpose of this experiment is to demonstrate that the CRH can be
>>      implemented and deployed in a production network.  Another purpose is
>>      to demonstrate that the security considerations, described in this
>>      document, can be addressed with access control lists.  Finally, this
>>      document encourages replication of the experiment.
>>
>> The IETF datatracker status page for this Internet-Draft is:
>> https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-iet
>> f-6man-comp-rtg-hdr/__;!!NEt6yMaO-gk!Dnq7r3LfOi8q0IFBmD_-uJm0oJFDOI9ei
>> hzWE6kwewyYJGtgDIeuhjECRYZLVPzb8J2PtvxbLPVv-F8IYGzKnGb-NvQ$
>>
>> There is also an HTMLized version available at:
>> https://urldefense.com/v3/__https://datatracker.ietf.org/doc/html/draf
>> t-ietf-6man-comp-rtg-hdr-00__;!!NEt6yMaO-gk!Dnq7r3LfOi8q0IFBmD_-uJm0oJ
>> FDOI9eihzWE6kwewyYJGtgDIeuhjECRYZLVPzb8J2PtvxbLPVv-F8IYGzKOhP9rWU$
>>
>> Internet-Drafts are also available by rsync at:
>> rsync.ietf.org::internet-drafts
>>
>>
>> _______________________________________________
>> I-D-Announce mailing list
>> I-D-Announce@ietf.org
>> https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/i-d-
>> announce__;!!NEt6yMaO-gk!Dnq7r3LfOi8q0IFBmD_-uJm0oJFDOI9eihzWE6kwewyYJ
>> GtgDIeuhjECRYZLVPzb8J2PtvxbLPVv-F8IYGzKSF06wGc$
>>
> 
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/ipv6__;!!NEt6yMaO-gk!Dnq7r3LfOi8q0IFBmD_-uJm0oJFDOI9eihzWE6kwewyYJGtgDIeuhjECRYZLVPzb8J2PtvxbLPVv-F8IYGzKhFPZpvY$
> --------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email