IETF Logo Mail Archive

Re: EH end encapsulation in 2460bis

Brian E Carpenter <brian.e.carpenter@gmail.com> Thu, 14 April 2016 00:58 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E422212E5A7 for <ipv6@ietfa.amsl.com>; Wed, 13 Apr 2016 17:58:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y8t9HNTPmPVT for <ipv6@ietfa.amsl.com>; Wed, 13 Apr 2016 17:58:23 -0700 (PDT)
Received: from mail-pa0-x22a.google.com (mail-pa0-x22a.google.com [IPv6:2607:f8b0:400e:c03::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1643A12E5A4 for <6man@ietf.org>; Wed, 13 Apr 2016 17:58:23 -0700 (PDT)
Received: by mail-pa0-x22a.google.com with SMTP id fs9so20679422pac.2 for <6man@ietf.org>; Wed, 13 Apr 2016 17:58:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:cc:from:organization:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=bUP7Xx9Ynvkfy9E6uOWEIUunr4rLZKme1h71yjO08LQ=; b=vCjebkmUVX5+BBGEP0BFPvpDnQNgLhyLMckZrl2/JuPIA4QEBZf9/pzDR37ArFloiv TpGqtQZp/SetutYzP/otluvGtywSaJ7NCTUh6HtvDLgyccJHmfzWfm1Rih6eS4s5W8IA vNJnC7CJLWVQoQHreyWRlj6hGM68I/d533NkxZXODT92QaCK2xcr26Vip0mpBhoJEZjX Yfc+/D6nMwZUJZkXgQS523ahNfWdvFLles05IVCk4Ig5mNlPgHstjrF73LyUrGMYZQkf ywpb82cE8uidrn+PCkar8QcBt8HJvMX73nz01J4reVGOTfj/Hb9yCLB21GFU3SoGLuah NbVw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:organization :message-id:date:user-agent:mime-version:in-reply-to :content-transfer-encoding; bh=bUP7Xx9Ynvkfy9E6uOWEIUunr4rLZKme1h71yjO08LQ=; b=PuEGNXm5u+COBDVjnsceYuonVJJJkfA5eIJFw6pFIrLyEfa71tZxX99iwjcE7IYVA/ QjzlgbvktcTQlk3A0dQOCLWtWYvRTF8WGIJAPXhx4saY6x9SwmorVUZH/bIlyOQhDjHK B9Qzr4QYZyd0zC+r+lIiemlPAZqvqfdIo5T6njH6raQAf16Cgp28oQVxjWCn0RiIvOJr nPIw9JzaHVLdSSTEe+T67B/vXd04yTkLzxiEr1PUZd2TdwYDEvfiFMA9ZhunRjI/oFv6 NlJNdzcNbPG1uJYgJUWlQ6udHD/ntANBDqzOswAr/2jq5XVrH6Q5klDtJMcTgj1ugrLM naWQ==
X-Gm-Message-State: AOPr4FUQHw0Kj2L+pHuaZmTajOqYanSEBdZyfnsSg78yPvbxzr15FWBOSBeKebpF50Cbmw==
X-Received: by 10.66.218.161 with SMTP id ph1mr16870047pac.83.1460595502683; Wed, 13 Apr 2016 17:58:22 -0700 (PDT)
Received: from ?IPv6:2406:e007:5576:1:28cc:dc4c:9703:6781? ([2406:e007:5576:1:28cc:dc4c:9703:6781]) by smtp.gmail.com with ESMTPSA id 136sm10791077pfz.44.2016.04.13.17.58.19 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 13 Apr 2016 17:58:21 -0700 (PDT)
Subject: Re: EH end encapsulation in 2460bis
To: "Fred Baker (fred)" <fred@cisco.com>, Tom Herbert <tom@herbertland.com>
References: <CALx6S37dA7RVzLe-HFy3_iUye+TVgPk3oCZaLfiHrXMua7K-FQ@mail.gmail.com> <A9957AF5-22BC-47A6-8D87-6E099EEEFC76@cisco.com>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
Message-ID: <570EEB31.4090003@gmail.com>
Date: Thu, 14 Apr 2016 12:58:25 +1200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.7.2
MIME-Version: 1.0
In-Reply-To: <A9957AF5-22BC-47A6-8D87-6E099EEEFC76@cisco.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipv6/8Nt7clFB-JIBKW4ciG6x9rqtT3A>
Cc: "6man@ietf.org" <6man@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Apr 2016 00:58:25 -0000

On 14/04/2016 11:59, Fred Baker (fred) wrote:
> I actually looked pretty hard at this in https://tools.ietf.org/html/draft-ietf-6man-hbh-header-handling-00. My segment-routing colleagues wanted pretty badly to insert an SR header at some point in the network, and then remove it somewhere else before delivery to the destination.
> 
> Working through potential failure cases, what worried me was the security header. Suppose, for example, that the inserted SR header would have to be removed before being given to the addressed destination, but the addressed destination was an anycast address? In such a case, the system that will ultimately respond to the packet advertises itself as "a" right router capable of forwarding the packet to that address. So, fine, I give the packet to the "router", and the receiving system realizes that the destination address is one of its own, and so receives it as a message addressed to it. Oops; we tripped over an assumption.
> 
> At IETF 94, I tried to make my SR colleague's point, and Bob Hinden told me that they had already vacated the field, leaving me with my pants around my ankles. Thanks, guys.
> 
> But that is fundamentally the point. We need a solution that has no sticky failure cases, and delivering the actual packet sent is the only one that presents itself. Encapsulation does that. Anything else has to prove the case.

Agreed. And to Tom's question:

>> For instance, is expected that there is
>> some process of moving/copying certain of the original EHs to the
>> outer headers (like HBH, routing)?

Afaics, the encapsulator can do whatever it wants as long as the new
IPv6 header is valid. It's creating a brand new IP packet that happens
to contain the incoming one, so there's no reason it can't copy some of
the extension headers. I'm not sure that it *should* do that, if the
goal is to get through a part of the Internet that discards certain
header types.

    Brian

>> On Apr 13, 2016, at 4:03 PM, Tom Herbert <tom@herbertland.com> wrote:
>>
>> Hello,
>>
>>> From draft-ietf-6man-rfc2460bis-04
>>
>> "Extension headers must never be inserted by any node other than the
>> source of the packet.  IP Encapsulation must be used to meet any
>> requirement for inserting headers, for example, as defined in
>> [RFC2473]."
>>
>> It is unclear to me how/rather IP encapsulation can meet the
>> requirements or at least the intent of a node wanting to insert
>> extension headers. For instance if a middlebox is presented a packet
>> with EHs ABC and it wishes to insert EH X, it's intent might be to
>> create a packet with EHs ABXC. I don't see how this can generally be
>> expressed with encapsulation. For instance, is expected that there is
>> some process of moving/copying certain of the original EHs to the
>> outer headers (like HBH, routing)?
>>
>> Thanks,
>> Tom
>>
>> --------------------------------------------------------------------
>> IETF IPv6 working group mailing list
>> ipv6@ietf.org
>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>> --------------------------------------------------------------------
> 
> 
> 
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
>

v2.23.0 | Report a Bug | By Email