IETF Logo Mail Archive

Re: CRH Draft Update - Security Considerations Section

John Scudder <jgs@juniper.net> Wed, 27 May 2020 21:01 UTC

Return-Path: <jgs@juniper.net>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A6CB3A0C96 for <ipv6@ietfa.amsl.com>; Wed, 27 May 2020 14:01:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net header.b=IddEf5em; dkim=pass (1024-bit key) header.d=juniper.net header.b=A4bs2WMu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U1d7FsQRMmFZ for <ipv6@ietfa.amsl.com>; Wed, 27 May 2020 14:01:36 -0700 (PDT)
Received: from mx0a-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF9A63A0DAE for <6man@ietf.org>; Wed, 27 May 2020 14:01:15 -0700 (PDT)
Received: from pps.filterd (m0108156.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 04RKvsrK007303; Wed, 27 May 2020 14:01:11 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=PPS1017; bh=Uth2VDhMZ91QKGraq5ny/ZunqPpX7Qov2UrZ6QE7S2Y=; b=IddEf5emwkgyuZSxVGRgKLnEn4toEF5z6mV2Ry8QtW4p8qPVKO9SDrsWJZAV+doAI93o 0u5NTHE/S6LYpPFvH0MT1uTFtZ3MURzYYfMyv3Mdu0PxZikLCO9D5mimpWsWgCaiNKtp kSM82HrqPGjrfFY3SSjjm5hzeCk5YsMtevcYpFUfutNUFM1N50/VCixNmZE5lrusKZFo M8L8VhysolLhoBGLJGlfi1+nLpn5AngBBZICNQ18LsaGom5da8OQhbZ05brqkAUdoi3H MC/W4DUeU9AFhZix6lLIJhLrpuJ+CUt2RRYsezHdayPJH1o2d4BWyHE7bFOvpXMwXevY 2w==
Received: from nam04-bn3-obe.outbound.protection.outlook.com (mail-bn3nam04lp2055.outbound.protection.outlook.com [104.47.46.55]) by mx0a-00273201.pphosted.com with ESMTP id 319mef19h2-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 27 May 2020 14:01:11 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=P34BfzD9dVTAPHYhD3xMjfvgsOO23C1szlvECFXuY+vH8oMwKCwH4mlT/94TGdzLbGvFK0VeR3H3ALVmjTahanbXR61PrrKuJliebfhRJRNQ3vL9uHXygOiBJh+dHMZ+yOhl79jckCbNIFgZCtWPE2G8Hs1nt5DT1gMZDT1qu7HKQCTZU3vxTUywIcb5+0KCe1yfIPUGSbmgvBg18eNBlPbyIZiZW2rfTmsTeq14Np9jc7JMVHKd/478Q1ce51+D2jz++eQqUoZ4vlOULp6/OQxcddx0uIESe1rjTGbNuoaF8EBeMXUEfsaoSuto3mSJKYlKHSoJgPlXJjCy9kaeTw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Uth2VDhMZ91QKGraq5ny/ZunqPpX7Qov2UrZ6QE7S2Y=; b=DkrEPIkHrhoTbgl2bVkLz97IXI4QSiVR7KBHkyIuCAbnSvrhrwPnil9x966eVB2yxOv08Zrq3eJqgWb+EEmf69tHGYYtqs5+jsQ9hxvg5bICFEqRF77UASx3oTIiDzGRReYwKQGAB51I8ROqPwf6hhXpLCEJH9TnVkWkOkOnKfrpqNkxX2w1wdMX+ZtmnVW7tju3wqjxMCNHKMFT5Ala6/ypnQVqPX+3QWGe4Jgl1zDaHMpPIJZdqeHjmxS286pW98FmGJUp5l5YNPCwG+C3QSaKdar+7EUpqyb3Sd/6LnA6dA0ZajdReVAaYdENMAoXEJybjHsWOFtKucjkYl3uYg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=juniper.net; dmarc=pass action=none header.from=juniper.net; dkim=pass header.d=juniper.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Uth2VDhMZ91QKGraq5ny/ZunqPpX7Qov2UrZ6QE7S2Y=; b=A4bs2WMuab4NMQEdxj1jgCbzINXno8Bn1ScA3DVh7Boz/4Z33Rh2FwM9mnbHQIJPVrPbPPTC6Ij2+ncNwHt4plvgGk/CgiaNRZwqqYvMzRKorm6CLVySxB8rSDYc6q2kMy/vWh/GWSCeVbj8ssz0wsg7jkOOir769vZUyWV+IE8=
Received: from BL0PR05MB5076.namprd05.prod.outlook.com (2603:10b6:208:83::12) by BL0PR05MB5185.namprd05.prod.outlook.com (2603:10b6:208:86::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3045.9; Wed, 27 May 2020 21:01:08 +0000
Received: from BL0PR05MB5076.namprd05.prod.outlook.com ([fe80::499e:c613:2d2:b09f]) by BL0PR05MB5076.namprd05.prod.outlook.com ([fe80::499e:c613:2d2:b09f%7]) with mapi id 15.20.3045.018; Wed, 27 May 2020 21:01:07 +0000
From: John Scudder <jgs@juniper.net>
To: "Xiejingrong (Jingrong)" <xiejingrong@huawei.com>
CC: Ron Bonica <rbonica@juniper.net>, 6man <6man@ietf.org>, "Eric Vyncke (evyncke)" <evyncke@cisco.com>
Subject: Re: CRH Draft Update - Security Considerations Section
Thread-Topic: CRH Draft Update - Security Considerations Section
Thread-Index: AdYzpDm5mk94cwa6SjqC/Hej0heh0gAjlKYwAA3Y+AA=
Date: Wed, 27 May 2020 21:01:07 +0000
Message-ID: <BB7D86B3-9C31-40D7-8C2C-673FB73F4237@juniper.net>
References: <DM6PR05MB63488B772FA7D035EC028C5CAEB00@DM6PR05MB6348.namprd05.prod.outlook.com> <79913f262b4e4f8cbac75e74e91bf844@huawei.com>
In-Reply-To: <79913f262b4e4f8cbac75e74e91bf844@huawei.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3608.80.23.2.2)
authentication-results: huawei.com; dkim=none (message not signed) header.d=none;huawei.com; dmarc=none action=none header.from=juniper.net;
x-originating-ip: [66.129.241.13]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 8d377982-32e1-4dce-fc02-08d8028113c6
x-ms-traffictypediagnostic: BL0PR05MB5185:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <BL0PR05MB5185D29B870FF3E9143E5784AAB10@BL0PR05MB5185.namprd05.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-forefront-prvs: 04163EF38A
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: ASxDFJt7GD1CDT8Q54GWrk5vgPg7F+qiPzmosGLLgAi/wAsI1LoDFXhGcYtMFUpT2UkEcUhiy74E0xj8KMrIRlTgAJ5i6oOW+8TBudaOwhyRVIcevLUewRhEg8O2VtG+UF4uLVBTENIvr9HS89ecgQ3uizq9SgDYcLcbRWHgx/aUQVwFUOQgQwv8HdNhHXr0wGcIKgDKn1J3ZFDRr0PT5KKq0XBrLJl17GmgBiHryfMSKBb1nC0y2+eiE99roOxx0eHJqR94OAyTtpynujJ64saIhVO66uuAmPSI2/zbJHYOMIO7wpVmTzfZNsV/aMHHwS3fme1ihGnPVGQlZTVrng==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BL0PR05MB5076.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(346002)(366004)(376002)(136003)(396003)(39860400002)(4744005)(86362001)(71200400001)(2906002)(54906003)(186003)(6916009)(6512007)(6486002)(4326008)(316002)(2616005)(66556008)(26005)(66574014)(478600001)(5660300002)(8676002)(33656002)(64756008)(6506007)(53546011)(66446008)(66476007)(36756003)(83380400001)(76116006)(66946007)(8936002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: ANUDm3CH2GGsXDzHaDymzPT9+OYZY5p+Ns5OH6UxD/EFWoZ8TFL1TK2Yc85GEkEXnr3WJHypuO1LWSMVTKtMhBb+DK2Y3BJhWb/5e+ePBmojYYPMmVQFmiEuWGBaFKNkYTbO10vx5fMVfcd/X3S1oyU2iN+6iNCj/F3526oxTSOJPfS8trDrjP82ZHBPg+73kT0uJW4kJHiJQIfmX6mZEBitKzxZbCF8MDIjVdreUHCFobXdN58Tuvz1qK29aCzwoM/OdAWrjcwHcT4b2a/FKmBoexVS3C9vNZfKeUNwtNSXZbZNTin3QUXmpUdgtrBDi4ymi7l4p12lgtd8jejUzvun8/l5rZTu4zYv/PbL3TAkaspyuTeuX8UXQqEkcMOpC8W3IZneimiL79gRtib+O4jNQ7ulIu1KZ2Ovb/VDwv8JxL7c9/KnNXLQo/ZfRIyltmJFGtSLyo+qYlq/iioLuzjryAG/SE7lD3yQkMHrRXN56jpuMu2KUUYuLgBmyA6W
Content-Type: multipart/alternative; boundary="_000_BB7D86B39C3140D78C2C673FB73F4237junipernet_"
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: 8d377982-32e1-4dce-fc02-08d8028113c6
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 May 2020 21:01:07.6770 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: /X9dLbN8pwyaE8O0Au7HWhYGG0m0f6e0pMTKF4to4vc7fi9XT/8ISOUfi3o4QGSR
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR05MB5185
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.216, 18.0.687 definitions=2020-05-27_03:2020-05-27, 2020-05-27 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 clxscore=1011 phishscore=0 mlxlogscore=909 impostorscore=0 suspectscore=0 priorityscore=1501 cotscore=-2147483648 mlxscore=0 lowpriorityscore=0 malwarescore=0 adultscore=0 spamscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2004280000 definitions=main-2005270161
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/9Ispdd-Kma4ZpwU8SfIS4OIL5dw>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 May 2020 21:01:45 -0000

Hi Jingrong,

On May 27, 2020, at 10:49 AM, Xiejingrong (Jingrong) <xiejingrong@huawei.com<mailto:xiejingrong@huawei.com>> wrote:


[XJR] If this is a CRH desired example, then I have a further comment:

The Destination address represents an interface inside of the CRH domain MAY need to establish PCE/BGP session with an outside controller, will this traffic also be filtered ?

It’s already considered best practice for networks to block packets bound for their infrastructure addresses at their borders rather than allowing the Internet at large to directly target packets to infrastructure elements. So, if anyone actually wants to deploy a controller outside of their network perimeter, they’ve already had to think through how to permit the traffic through their ACLs. There are any number of ways it could be done; I’d think it beyond the scope of this spec to document them.

Regards,

—John

v2.23.0 | Report a Bug | By Email