IETF Logo Mail Archive

Re: SRH insertion vs SRH insertion + encapsulation

Fernando Gont <fgont@si6networks.com> Mon, 09 September 2019 23:49 UTC

Return-Path: <fgont@si6networks.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CCA04120831; Mon, 9 Sep 2019 16:49:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.307
X-Spam-Level:
X-Spam-Status: No, score=-0.307 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DATE_IN_PAST_03_06=1.592, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oD4fKmgMOLz9; Mon, 9 Sep 2019 16:49:45 -0700 (PDT)
Received: from fgont.go6lab.si (fgont.go6lab.si [IPv6:2001:67c:27e4::14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E999D120829; Mon, 9 Sep 2019 16:49:44 -0700 (PDT)
Received: from [192.168.0.107] (unknown [62.74.25.59]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id EC4FD863E0; Tue, 10 Sep 2019 01:49:39 +0200 (CEST)
Subject: Re: SRH insertion vs SRH insertion + encapsulation
To: Ole Troan <otroan@employees.org>, Brian E Carpenter <brian.e.carpenter@gmail.com>
Cc: Ron Bonica <rbonica=40juniper.net@dmarc.ietf.org>, draft-voyer-6man-extension-header-insertion <draft-voyer-6man-extension-header-insertion@ietf.org>, "6man@ietf.org" <6man@ietf.org>, Robert Raszuk <robert@raszuk.net>
References: <BYAPR05MB5463306B3328F460C2417764AEB50@BYAPR05MB5463.namprd05.prod.outlook.com> <32ED6621-3D17-4EC8-AC11-AFE64F05E6A9@employees.org> <72256cfe-755d-861a-2a0c-558311bc70b4@gmail.com> <82C3DA17-00AF-4E2E-88F3-04F9F563E659@employees.org>
From: Fernando Gont <fgont@si6networks.com>
Openpgp: preference=signencrypt
Message-ID: <a4c1d957-1fa7-8a27-5106-e536e92e9d09@si6networks.com>
Date: Mon, 09 Sep 2019 21:36:05 +0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
MIME-Version: 1.0
In-Reply-To: <82C3DA17-00AF-4E2E-88F3-04F9F563E659@employees.org>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/5x__DWvA41e7tONZiq7I0XLkR44>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Sep 2019 23:49:53 -0000

On 9/9/19 09:08, Ole Troan wrote:
> Hi Brian,
> 
[...]
>>>
>>> And I am pointing that out because of what feels like moral righteousness and hypocrisy to me, not because I think header insertion is a good idea or even doable. 
>>
>> I think the real question here is whether we want it to be possible *in principle* to verify that a packet has not been modified in transit, except for fields that are known to be mutable. NPTv6 is indeed a case where we consciously made this worse. ("NPTv6 involves modifying IP headers in transit, so it is not compatible with security mechanisms, such as the IPsec Authentication Header, that provide integrity protection for the IP header.") Addresses are not mutable as far as AH is concerned.
> 
> I am not quite sure if that's the real question. ;-)
> Something like header insertion could only possibly work in a limited domain, e.g. inserted on ingress, removed on egress.
> Thereby keeping the end to end transparency. Changing of the packet size breaks PMTUD.
> 
> AH is a neat lithmus test. At least in theory. And I think it should be kept for no other reason than that.
> I believe ILNP makes changes in only binding to the identifier not the locator.
> And as NAT has become such an integrated part of the Internet architecture you might argue if AH should bind to addresses at all, and that consideration applies to the transport protocols too of course.


I'm really curious what's the criteria with which you decide what's part
of the architecture, and what's not. For example, here you say that NATs
are part of the architecture. Not a long time ago you claimed on ietf@
that firewalls are not part of the architecture....


> 
>>
>> If we are willing to say that a feature is useable only within a domain where AH is not used, that seems OK, but only if the concepts of a domain, its membership, and its boundary nodes, are well defined. (To be clear, I don't think draft-voyer-6man-extension-header-insertion-06 is anywhere near explaining how a domain is defined and managed.) Or the IETF decides to declare AH dead. In any case, it's wider than a 6man decision.
> 
> Indeed. I think what we are talking about here is only possible within a limited domain.
> And no, I don't think draft-voyer is nearly done. I think we asked the authors to document the issues with header insertion and proposed mitigations or why those issues weren't applicable in the limited domain. I see only the PMTUD issue mentioned, and then without any mitigation.

THe first question is normally what problem you are trying to solve, and
why you can't solve it with what we already have.

It would seem to me that the "process" here is being *very biased*.

Thanks,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

v2.23.0 | Report a Bug | By Email