IETF Logo Mail Archive

Re: Segment Routing Drafts

Fred Baker <fredbaker.ietf@gmail.com> Fri, 08 March 2019 11:56 UTC

Return-Path: <fredbaker.ietf@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8751B130EC0 for <ipv6@ietfa.amsl.com>; Fri, 8 Mar 2019 03:56:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ju_U7xQDmUuO for <ipv6@ietfa.amsl.com>; Fri, 8 Mar 2019 03:56:47 -0800 (PST)
Received: from mail-pg1-x52b.google.com (mail-pg1-x52b.google.com [IPv6:2607:f8b0:4864:20::52b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3495A130F01 for <ipv6@ietf.org>; Fri, 8 Mar 2019 03:56:40 -0800 (PST)
Received: by mail-pg1-x52b.google.com with SMTP id h8so13996081pgp.6 for <ipv6@ietf.org>; Fri, 08 Mar 2019 03:56:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=ftTebZQbWw4tm9QbtNItn1MXP6stV8/F+dmJ2tyBPM0=; b=My+uHsQzaJmVe0gX5KwK68DVEE2/X4ZnD6UPZreTufqFuUR2DITNaUQEZzYH7YzIqq m38Xf9aDY7B8OkVMuXKu9xtm8F166Z6AHGINQ8rRgebtbt6rx9fxtEXmbCdEFxA+CidU xzGQ6j3ykZAWxuo5fIuUtXbkKRFkJ9HgM7fqArMYRvGJ8yPWWoo2fRjq4n939LisUms0 jfeWSCtIlGMkQJSxs7zZgsMu/iLefakF1+ifUd7+7sxf2L/S1kx63/bwIzjW8q2PaGUF u2Ds50E3iIdjb5OclFlMai0lxdZGkqde1IIydyO8jhnPKStJfHkohSiVkSIB3AFpmBhi 8Iqg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=ftTebZQbWw4tm9QbtNItn1MXP6stV8/F+dmJ2tyBPM0=; b=clX5dmLawU5KPRtGx655Q3/PcwYRPBXf/NvIB/4gbN4dl7JfxUKWTRfku1r+xKWvrx 6kMGxasnjpCwo2Uk4BysJ43f9bvLYw+4zN9DPvbON5InxYvjkaiUy5b9BukBre7CL0B4 lK5sfpUSubKjck4im8SRBZmONyelr28r83GYSzAhgj7vSADr+CLpDadmgEbAo+pFP1rH FkYeQklmYtAhbOq99RN5EA4DUgNqnMmMoM7iAGbd48QQzJS1HOpIYECPItgYMm88/cUS byTp23rZhMmlQThVlILcctzZQI/vkFr6d+eZZoTrsdIwzJb/K8UCJEhix/2i7NvgmKZA 4FKA==
X-Gm-Message-State: APjAAAWE6GvPshmKF4lhMTNA5qYS8XQchw3NQzRDb86DRG7x6Nksz+tB +Nmo1jb8ch9Ux278XC0sXsFYsRHsrKA=
X-Google-Smtp-Source: APXvYqxgIqUGxnWoZzvy622G3DeQPT8Dh9TBWK9jpf8pd4gRJ7ebPsUzhXki7FjaK4j33DouqTEUKQ==
X-Received: by 2002:a17:902:7a2:: with SMTP id 31mr11381650plj.246.1552046199679; Fri, 08 Mar 2019 03:56:39 -0800 (PST)
Received: from [10.196.220.133] (9-197.icannmeeting.org. [199.91.197.9]) by smtp.gmail.com with ESMTPSA id r28sm16992681pgl.72.2019.03.08.03.53.50 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 08 Mar 2019 03:56:38 -0800 (PST)
From: Fred Baker <fredbaker.ietf@gmail.com>
Message-Id: <22FD7499-FE4C-46C9-AD90-D5BE193668CF@gmail.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_4BEED90E-C7D8-472A-A94F-085FC3A537DB"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.2\))
Subject: Re: Segment Routing Drafts
Date: Fri, 08 Mar 2019 19:22:37 +0900
In-Reply-To: <BYAPR05MB4245B33085E23BD17F6A04A4AE730@BYAPR05MB4245.namprd05.prod.outlook.com>
Cc: Brian E Carpenter <brian.e.carpenter@gmail.com>, IPv6 List <ipv6@ietf.org>
To: Ron Bonica <rbonica@juniper.net>
References: <BYAPR05MB424560001F76E403A33B94E7AE750@BYAPR05MB4245.namprd05.prod.outlook.com> <341A6C5C-3670-4C8F-A8CA-C80182AC1F3C@gmail.com> <7dffddcd-a810-764e-3929-01d7b400c410@gmail.com> <BYAPR05MB4245B33085E23BD17F6A04A4AE730@BYAPR05MB4245.namprd05.prod.outlook.com>
X-Mailer: Apple Mail (2.3445.104.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/8OMLnzvXYKt7zQZVGCPyY6MZMDk>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Mar 2019 11:56:58 -0000

Having it generally useful is a plus. What would help me is a vision, probably a few paragraphs, about how it is expected to be used. For example, I would presume that the target system is expected to maintain some counters and dump them on command. Thinking through the security implications, so now I have a flood dumping those counters, and I can determine which systems seem to be seeing a lot of traffic. They might be interesting targets...

> On Mar 7, 2019, at 5:23 AM, Ron Bonica <rbonica@juniper.net> wrote:
> 
> Brian, Fred,
> 
> Thanks for these comments. The Security Considerations Section has been rewritten as follows:
> 
> " The OAM option can also be used in denial of service attacks. Network devices SHOULD protect themselves against such attacks by limiting the number of OAM options that they process per unit time. If the rate limit is exceeded, the network device MAY either discard the packet or continue to process the packet, ignoring the OAM option."
> 
> While the OAM option offers an alternative to the SRv6 OAM bit, its applicability is not restricted to SRv6. It is applicable in any IPv6 packet.
> 
>                                                                                                   Ron
> 
> 
>> -----Original Message-----
>> From: Brian E Carpenter <brian.e.carpenter@gmail.com>
>> Sent: Friday, March 1, 2019 7:23 PM
>> To: Fred Baker <fredbaker.ietf@gmail.com>; Ron Bonica
>> <rbonica@juniper.net>
>> Cc: IPv6 List <ipv6@ietf.org>
>> Subject: Re: Segment Routing Drafts
>> 
>> On 02-Mar-19 11:25, Fred Baker wrote:
>>> 
>>> 
>>>> On Feb 27, 2019, at 8:22 PM, Ron Bonica
>> <rbonica=40juniper.net@dmarc.ietf.org> wrote:
>>>> -
>>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__datatracker.ietf
>>>> .org_doc_draft-2Dbonica-2D6man-
>> 2Doam_&d=DwICaQ&c=HAkYuh63rsuhr6Scbfh0
>>>> UjBXeMK-ndb3voDTXcWzoCI&r=Fch9FQ82sir-BoLx84hKuKwl-
>> AWF2EfpHcAwrDThKP8
>>>> &m=fA-
>> M3FuAMPPT1Vz39C2CSoahbM305dnBjaZxsUnSkw8&s=UrTODtxAc6CDYfNq
>> asws
>>>> GetVveWmZuh3Iy5UCVRnOxc&e=
>>> 
>>> I read this draft, and was immediately puzzled. The OAM option is useful if
>> and only if it is implemented and configured, and (per the security
>> considerations) is a reason the packet should not be permitted to enter aa
>> subsequent network.
>> 
>> The text is confusing. It says:
>> 
>>   Network operators should block packets containing these extension
>>   headers at their boundary.
>> 
>> I hope that that is meant to say:
>> 
>>   Network operators should block packets containing the OAM option
>>   at their boundary.
>> 
>> Because clearly it is way out of scope for this draft to address firewall
>> recommendations in general (which anyway are covered by draft-ietf-opsec-
>> ipv6-eh-filtering, currently "Waiting_for_AD_Go-Ahead").
>> 
>>> As such, it is only useful on a small subset of the systems it encounters, and
>> only in the originating network.
>>> 
>>> Am I reading this correctly?
>> 
>> Well, if it is intended as part of the segment routing specs, that needs to be
>> stated in the draft. If so, it presumably inherits the property of segment
>> routing that it only works within a Segment Routing Domain
>> (https://urldefense.proofpoint.com/v2/url?u=https-
>> 3A__tools.ietf.org_html_rfc8402-23page-
>> 2D6&d=DwICaQ&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-
>> ndb3voDTXcWzoCI&r=Fch9FQ82sir-BoLx84hKuKwl-
>> AWF2EfpHcAwrDThKP8&m=fA-
>> M3FuAMPPT1Vz39C2CSoahbM305dnBjaZxsUnSkw8&s=Bg0e57opW73bkN5
>> KGBqF0IB31ou5hvoNF9hvaf6HKSM&e=)
>> and the OAM option would be blocked at the domain boundary.
>> 
>> Which is one of the motivations for draft-carpenter-limited-domains, of
>> course.
>> 
>>    Brian

--------------------------------------------------------------------------------
The fact that there is a highway to hell and a stairway to heaven is an interesting comment on projected traffic volume...

v2.23.0 | Report a Bug | By Email