IETF Logo Mail Archive

Re: Limited Domains:

Mark Smith <markzzzsmith@gmail.com> Sat, 17 April 2021 04:55 UTC

Return-Path: <markzzzsmith@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9860A3A113E; Fri, 16 Apr 2021 21:55:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.597
X-Spam-Level:
X-Spam-Status: No, score=-0.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.999, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lc_wEh3Ff1GZ; Fri, 16 Apr 2021 21:55:40 -0700 (PDT)
Received: from mail-io1-xd2e.google.com (mail-io1-xd2e.google.com [IPv6:2607:f8b0:4864:20::d2e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AB49F3A113B; Fri, 16 Apr 2021 21:55:39 -0700 (PDT)
Received: by mail-io1-xd2e.google.com with SMTP id z5so7889926ioc.13; Fri, 16 Apr 2021 21:55:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ry9cqRPBpgoosyuvO6BFBlsl7klYB7bv6HI8h55TOd4=; b=P125uLdFZB0edskjWh82sNWufh3Tbngj+KqXywGf269nSLlWnE5uQbInzzPzvSj31O TS8lvNQH9wqqiGNONq3jC7dQeZfMjDwDbCMgqDlwn7DBNLk/sz4T2LsmEZAsIZQ8hpPB qfphxjNvEfxtFFyzLwYvvnvrKx3qd7uB3X1uL4LYR7TJdI/yqJ3euvyrYatPyaQATJN8 LtOseBocx92zwcREWvMS430h6FMprxjlMtydwmTiUW18qzl3FLWt1VBTO7u/dVhLT1xu qvTHkHTu+7YwCwOOAbTL11dWKhDN/ueGps+OPS/flhQnESoxKuPn+AM0kBQh/BAmIciQ DyJg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ry9cqRPBpgoosyuvO6BFBlsl7klYB7bv6HI8h55TOd4=; b=DJfoN0mVsftjqsP8VL0I9AStwcZpoQP8Aov3sxP6UnFXlcMImbUaOKzi1/ZKTj7air 7goXV3WFWueBms61gwtG8FOwvtTPAsYGtWmJv6AES0438OB6f/lZLK53Ryjv7iClCsu3 iTlx/+AL8pEN+vOAGIq6TkfXL/K3CPHSFFRUPnU/4lYodvFpXF3Iwj5W8Y7Fd7Dke2aT 0amVhOquScPxpxLQIS8EQcXezjyyZ4YGydSn7n5feI31WzAvx10FNUiDPz6wV0Fvv+j6 90VUilPQkbYLXfKBYb6OBMxYDh6bAdDpm2NMudACbBKES24VHaSiIEvVjCkYI9ZIkQuj qm4A==
X-Gm-Message-State: AOAM532RNk0U+rzWRgBO+Y20lE9NnAGtaeMvEokw8746V8/n7ZsuOb+d VFprTJCFu6ffuFtwi9PyeBqZ9nN/dh5hoR6FOCs=
X-Google-Smtp-Source: ABdhPJxhw02+acrxVy41ZPodTatKwgRiImmKQHdwONOKfCBHNlirryEpJLPwM8ocWnLp2g/ZmTYeo+2cQ+hsF5ZQsfc=
X-Received: by 2002:a6b:148f:: with SMTP id 137mr6055379iou.0.1618635338185; Fri, 16 Apr 2021 21:55:38 -0700 (PDT)
MIME-Version: 1.0
References: <8128f0b59e5c40538c42f1f60f19fad2@huawei.com>
In-Reply-To: <8128f0b59e5c40538c42f1f60f19fad2@huawei.com>
From: Mark Smith <markzzzsmith@gmail.com>
Date: Sat, 17 Apr 2021 14:55:11 +1000
Message-ID: <CAO42Z2xpnK4pBpyhYArF_ncfFZrwNLrHy6rAMBpDtD5i_qX0-g@mail.gmail.com>
Subject: Re: Limited Domains:
To: Jiayihao <jiayihao@huawei.com>
Cc: 6man WG <ipv6@ietf.org>, 6MAN <6man@ietf.org>, draft-filsfils-6man-structured-flow-label@ietf.org
Content-Type: multipart/alternative; boundary="0000000000005a801c05c023e81f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/A5ijW5XebCOVbzem3YKODIcczD8>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Apr 2021 04:55:46 -0000

On Sat, 17 Apr 2021, 13:45 Jiayihao, <jiayihao@huawei.com> wrote:

> argument 1:
>
> > [Gyan Mishra] There are so many variables and variations and nuances the
> idea of a “limited” or “closed” domain exists which could encompass all sub
> domains and thus in some cases that limited domain may not see that limited
> as it could be quite massive.
>
> >> [Brian] Limited domains exist for all kinds of reasons. Like it or not
> (and some people don't like it), the current architecture of the Internet
> includes thousands (probably millions) of limited domains.
>
>
>
> Yeah. Like it or not, limited domain is already a life of fact.
>
> One problem seems to be even we have define limited domain on RFC 8799,
> but there seems ‘views vary from person to person’. In fact, every global
> CDN network can be considered as a limited domain in general, Google WAN,
> AWS WAN for example. And this is align with the definition of RFC8799.
>
> So generally speaking, even QUIC can be regarded as a limited domain
> protocol philosophically.
>
>
>
>
>

Limited doesn't really exist if the domain talks the same protocol as
adjacent domains, and there are possibilities that a packet can
successfully escape one limited domain and successfully enter another.

Implementation bugs, hardware failures, operator configuration error and
default and aggregate routing create those possibilities.

Packets with Link-Local source or destination addresses are supposed to
have a limited forwarding domain limited to a link, yet we know packets
with LLA source addresses leak off of links due to destination only
forwarding implementations.

In other words, there hasn't been 100% success at creating the simple
limited domain of a link for LLA addressed packets, and that is supposed to
be an implementation default and is an RFC requirement. Good luck when it
depends on human operators to configure it.

Truly limited domains can only be created in two ways:

- A physical air gap

-  The ingresses to all adjacent domains have no possibility of accepting
and having any understanding of the local limited domain's packets if they
escape (e.g. an MPLS network trying to send packets into adjacent domains
that do not use MPLS at all).

IPv6, being an internetworking protocol, is specifically designed to be an
inter-domain protocol to facilitate internetworking networks and the hosts
attached to them. Trying to use it as a limited domain protocol is
fundamentally fighting against its design goals.



argument 2:
>
> > [Manfredi (US), Albert E] My main view is, if the domain is truly
> limited, firewalled or even air gapped, then what is the motivation to seek
> approval in a standards body?
>
> >> [Brian] On that argument the SPRING WG should never have been chartered
> and the 6MAN WG should never have approved RFC8754. Also, we should never
> have defined diffserv in 1998. And NAT, of course, would be excluded by
> definition, and RFC1918 from 1996 would need to be obsoleted.
>
>
>
> My point here is: it is not conflict.
>
> Protocol that works in a limited domain area like MPLS, SRv6 never
> built/rely on the concept of Limited domain. On the contrary, limited
> domain is a result of overall observation of the current technologies.
>
> So here comes to the reality: for every design that targeted for a limited
> domain scope, once it is targeted and going to be standardized by any SDO,
> then it will eventually to be adopted anywhere in the Internet-wide area.
>
> So the result is: for every STANDARDIZED “proprietary” tech which
> conceptually belongs to limited domain will actually be adopted in the
> Internet wide (if the value is acknowledged).
>
>
>
>
>
> argument 3:
>
> > [Robert] And I fully understand why this is going on like this - to make
> sure new features do not break existing IPv6 world ... it is just that
> protecting something which technically is already addressed and keeping
> innovation gated is IMO not the best strategy for networking.
>
> >> [Brian] Yes. That's exactly why I worked on RFC8799.
>
>
>
> Agree. One thing should care about as mentioned in RFC 8799 security
> consideration: “a protocol intended for limited use may well be
> inadvertently used on the open Internet, so limited use is not an excuse
> for poor security.” As silicon technique evolved, old-fashion/obsolete
> network design will be replaced by new design.
>
> Although consistency is quite important for IPv6 at this stage (which I
> agree as well), IPv6 will eventually face challenges one day.
>
>
>
> -----------
>
> Only thing we have to pay attention for is: we hate the pain of IPv4 to
> IPv6 upgrade, and we really don’t want such pain happened any more. I guess
> this is most concerns that many of us worrying for.
>
>
>
> My2cents,
>
> Yihao Jia
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
>

v2.23.0 | Report a Bug | By Email