Re: Limited Domains:

Brian E Carpenter <brian.e.carpenter@gmail.com> Fri, 16 April 2021 22:17 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B1593A3810; Fri, 16 Apr 2021 15:17:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.1
X-Spam-Level:
X-Spam-Status: No, score=-1.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2khAvxqtYpLf; Fri, 16 Apr 2021 15:17:31 -0700 (PDT)
Received: from mail-pl1-x62c.google.com (mail-pl1-x62c.google.com [IPv6:2607:f8b0:4864:20::62c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 04D553A380F; Fri, 16 Apr 2021 15:17:30 -0700 (PDT)
Received: by mail-pl1-x62c.google.com with SMTP id q11so1609349plx.2; Fri, 16 Apr 2021 15:17:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=A/klRLev577ubZDukxM0zUrhmF/jMhYHt6vOq07xjjI=; b=t2eS15muqMKI41nCAS7J1Ds3h1JGkQzAQRJZ+MVxr00yh/FnC3a/OiRdi9GXJdN3Ug SaGFKaRWL2jOOVDQhqUu+hQxR+mH8of7bTIL20pkhcVH2hbPwt/2AQACgESqgPwLMZeK i/GKguBTJbZiqYf3cBZn+sktUw4NtdSn7FzE/wRf5ne7BJLQf8YndfUnA4XEmaMTULzK vS6oYupA6RYintc1m/827UN9brRDD2y4r+W3sc8A6hVQtcee2VqRTXnN10foZjmC98nm EznDymHubptc/84PuG2a7w499fqvONL6qsD/PspfF9Ia0eXHXzh9HGlUhGaZONH95D5N x33Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=A/klRLev577ubZDukxM0zUrhmF/jMhYHt6vOq07xjjI=; b=mhwtT7HRaXLsHKTCEThjU/SAppTajyHHARjepWATvT1sN7XD7LWwYxmakpehTnj05C +e7al7oup9yddY6A6BUAoZsID/T7u+BZw3OE8gVKBmabmiLHGGsjk1keSTLpVVNLjbIt 37CPNMvkP8ukIolF8zVpaUodzc21mt1DO3gQINucmDtaelX3wAY2w0lvSmmtm5VmrqVF TtFK2lRuETDc5yz1p4X0enW8QHDw+8JT2eW6mwXohjb1omKelk/gSP/qOttqhvev+mCU JNBjmQ/8SmddsnNzNC5+hKKzUbBW4p2qu6kjann7Xol9MTXdF8+n0STnKUVigvaCTAmP jG+g==
X-Gm-Message-State: AOAM531hVfIisKlSlBpj1zAqTNn9GmqM82dxfMp5PTh1nVyd8L2cj3A4 yyi84y6fdjnc8+gNpS6vP27y3JaYcVaF9w==
X-Google-Smtp-Source: ABdhPJyxGhK3ZK4IJtr6cP9UNRhrL8GepuPgWaMFqjei8KBtt3/QEfUPbgJST+KAJhJ+QBInPYLztw==
X-Received: by 2002:a17:90a:ec03:: with SMTP id l3mr11495430pjy.61.1618611449671; Fri, 16 Apr 2021 15:17:29 -0700 (PDT)
Received: from [192.168.178.20] ([151.210.131.14]) by smtp.gmail.com with ESMTPSA id b1sm6760280pgf.84.2021.04.16.15.17.27 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 16 Apr 2021 15:17:29 -0700 (PDT)
Subject: Re: Limited Domains:
To: Robert Raszuk <robert@raszuk.net>, Stewart Bryant <stewart.bryant@gmail.com>
Cc: "6man@ietf.org" <6man@ietf.org>, "draft-filsfils-6man-structured-flow-label@ietf.org" <draft-filsfils-6man-structured-flow-label@ietf.org>
References: <BL0PR05MB5316991D4124AD85BC69392AAE709@BL0PR05MB5316.namprd05.prod.outlook.com> <1697a0f8-b3cd-9f7d-d610-305b5305c9a1@gmail.com> <4077E736-0092-44C6-80D1-E094F468C00C@gmail.com> <12878114-5c26-86f9-89c3-bcfa10141684@gmail.com> <CALx6S35NBfVJmjqVwhNV3nui2avUOXn6ySMG3cxx2AvGkwr_Ow@mail.gmail.com> <08A6C3D2-A81C-413A-81B3-EFAAA9DBCCE5@cisco.com> <5b68beb6-a6f9-828b-5cca-9c5ec2bfbea7@foobar.org> <126B0A5E-B421-4B1F-AAEB-ABD48FFA4289@cisco.com> <CALx6S35yxqAqWJVhav-=+TB2ZyYttAFfsLNs6Btt+QUx__aQ1w@mail.gmail.com> <9b22cfe4-22eb-3977-2d25-79eb61370291@gmail.com> <17DC585D-3378-42BF-8CD0-67676BF0CFD3@gmail.com> <CAOj+MMG2wy-ag=O7vQO+GkoW+OcAr6CN38vsMU9X0bh=LhF2wA@mail.gmail.com>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Message-ID: <c12a566c-224b-8722-bfdb-ac65574ece19@gmail.com>
Date: Sat, 17 Apr 2021 10:17:24 +1200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.9.1
MIME-Version: 1.0
In-Reply-To: <CAOj+MMG2wy-ag=O7vQO+GkoW+OcAr6CN38vsMU9X0bh=LhF2wA@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/AMKuOMnjJ3DkhlrKKDCEbC0WMHI>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Apr 2021 22:17:36 -0000

On 17-Apr-21 09:42, Robert Raszuk wrote:
> 
> 
> I think this this thread nicely demonstrates that we need to first define what a "limited domain" is. 
> 
> To some it seems to be 1980s definition of an IGP network boundary. More modern folks would consider as "limited domain" a set of IGP ASNs areas interconnected by p2p BGP still under the same administration. 

RFC8799 defines what it means by "limited domain" and it is not that.
 
> For me "limited domain" is an arbitrary collection of sites anywhere in the world using Internet for inter-connectivity. 

RFC8799 excludes that case. It specifically says "In other cases, it may refer to a defined set of users or nodes distributed over a much wider area, but drawn together by a single virtual network over the Internet, or a single physical network running in parallel with the Internet."

RFC8799 is not authoritative in any way, but it's quite clear on this point.

   Brian
 
> So any protocol which claims to be defined for "limited domain" and which claims that it is backwards compatible with nodes not supporting it is equal to allow it to traverse Internet. 
> 
> As simple as this. 
> 
> Cheers,
> Robert.
> 
> 
> 
> 
> On Wed, Apr 14, 2021 at 12:36 PM Stewart Bryant <stewart.bryant@gmail.com <mailto:stewart.bryant@gmail.com>> wrote:
> 
>     As far as I can see the only safe limited domain protocol is one specifically designed for use in limited domains.
> 
>     Any other approach leads to confusion, mistakes, security threats, complexity and cost.
> 
>     Thus declaring that an “ordinary” IPv6 packet can simultaneously have both global and limited scope has the potential for creating significant issues for those wishing to use basic IPv6 in a limited domain.
> 
>     We have an example of an IETF limited domain protocol: MPLS. This has a very simple lightweight data plane security model: it is a different protocol from IP and if it is presented with an IP packet at its edge, it simple wraps it in MPLS and sends it safely on its way across the network for export Into some other network. Operators have a lot of experience with this protocol and we know that the model that MPLS is not IP results in complete confidence that the network will not confuse the two.
> 
>     Equally we know of cases where IP is vulnerable to attack because it is so difficult to exclude packets. This was at the heart of the reason that source routing, was deprecated some years ago.
> 
>     Now I am not for a moment suggesting that the limited domain applications that the flow-label authors have in mind should be done in MPLS, but I am suggesting that if they want a limited domain protocol with properties different from IPv6, and there is no obvious way to unambiguously indicate the new functionality in basic IPv6, they ought to design a protocol with the properties that they require that is not IPv6.
> 
>     I am reminded in this discussion of the a time when another SDO wanted to make a “small” incompatible change to MPLS and argued that as this was only deployed in a limited domain that was safe.The IETF position was that incompatible and unrecognisable modification to one of our network protocols was a bad thing. A protracted high profile argument ensued and in the end  the IETF view won the day.
> 
>     This protracted discussion on flow labels seems to be in a similar mould, and I would argue that we should not accept a change to the forwarding actions on an IPv6 packet unless it is possible for the forwarder to know precisely and unambiguously  which action it is to take on the packet is is currently parsing.
> 
>     - Stewart
>