IETF Logo Mail Archive

Re: John Scudder's Discuss on draft-ietf-6man-ipv6-alt-mark-14: (with DISCUSS and COMMENT)

John Scudder <jgs@juniper.net> Thu, 30 June 2022 19:17 UTC

Return-Path: <jgs@juniper.net>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60E0EC14CF1F; Thu, 30 Jun 2022 12:17:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.851
X-Spam-Level:
X-Spam-Status: No, score=-7.851 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.745, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net header.b=N9BoQJCx; dkim=pass (1024-bit key) header.d=juniper.net header.b=VjgvBJWA
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oZWnyXgy9HcI; Thu, 30 Jun 2022 12:17:52 -0700 (PDT)
Received: from mx0b-00273201.pphosted.com (mx0b-00273201.pphosted.com [67.231.152.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D1F6DC14CF1C; Thu, 30 Jun 2022 12:17:47 -0700 (PDT)
Received: from pps.filterd (m0108161.ppops.net [127.0.0.1]) by mx0b-00273201.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 25U9XbFa003406; Thu, 30 Jun 2022 12:17:38 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=PPS1017; bh=2DnoMybX/NiVFEgr4dLXF1qAToacTlaOg4/nMHuQgxE=; b=N9BoQJCx20lk7kxtkMUIRtWMZawpFeTtNee63KhG9xkkmZPac5GTssn2/U74fayqS/GB jNch//1/YEQBGxixpzU4lz25DxHc6NtW23i6zD5QDnadVUox7eDDQFE1bjPx8bTPeTp5 Fy2igzuV/JaV2+slTAYUefKZZiq+PBez+st1Pd0AXzPfdrSKcOzz5I0lhh4vu/D99Qr2 1V3GrLdWgK7gHR8pg3aP8sZrgosBUhS7v72+8tpHbytuI9f+kArnuYIM/3mLB4RCnxqq rRD0B4b+UWr+7vXr9COV51wwhZ9SX7Jj0CDbgxer/65WqMAXNlLyHtND0Wia/ubsFAGb 7w==
Received: from nam12-bn8-obe.outbound.protection.outlook.com (mail-bn8nam12lp2173.outbound.protection.outlook.com [104.47.55.173]) by mx0b-00273201.pphosted.com (PPS) with ESMTPS id 3h19aa15qr-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 30 Jun 2022 12:17:38 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=YjF0zQ/OEqRaidGA6lMP94GZQXznAX1BJjSH0MYO8Z3cY59bcybTokrRz7X1JJG84GQIrShzbTUSWFdHgfOGlYObqAqXgLuNbGeE4M+GAeLrJZk4cjCZrh8TQX/+ksJ0OvVX5NlGZG+sFD085Iol3gnKwh+Pc9joN9nvF4k71tXMw65sys1UGIoApwTUiMPZ6JLsZTltTBcb7O0DR4kAXlbuDljGZXCZ+EmYLgNmNnWPT+c29Zx1enY5QpU0ZX2YlGwwItEfx+GH20Dco67Vu/vl+fV2KRPSObH93C3RQ6YhqkawWPvWyrdl3xPodbZVbgRVd2iaNu6BedwFCaOaMA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=2DnoMybX/NiVFEgr4dLXF1qAToacTlaOg4/nMHuQgxE=; b=QRdzpCn006oTBAGHGn7h21Fq4L4WkrrO2GQkRX8aq/q/TbCiEXJ4zMNqxbW6mICJlEj+0Yg2NwZpzdkvX+PccVo/N2X5qxTpTDNdA4NzRiYscQMDhYqEA4NhuaVv5t3Dnd+g/Wc9H1vY8691qmYoNig0ZclGfy6OKi7Jzal31+RJxA4WQLamZu+OGN8Hbz/QC8q8s3g8nsYlZF6zbB54OaAWAoQLaqH7AJdYT+Sez91ZQR4Qx6At8Kov89nqu90WYEJXzipkpA7xZkHEPHcyK4DfWnY1+ha4OfSEN5zGmG8e1ySLNVS2pPVtT8GMng4ZM+R3mHe7kMneBwDYztgTBw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=juniper.net; dmarc=pass action=none header.from=juniper.net; dkim=pass header.d=juniper.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2DnoMybX/NiVFEgr4dLXF1qAToacTlaOg4/nMHuQgxE=; b=VjgvBJWAJ7jIE+5MuISkcMumNuJiUPqdt0E9yiX76Q6BbxsBQYQPQKGL9OAiFTAkKpbmG32IGTiYwm0PcnlPxdroH6uHQQyZDLZGp6dyWnGMknKD5MmgzlMghrnlOzmIOLJx/21Q2uyhMX10pL78rh4F8kwe2653OMvPE5Ey3PQ=
Received: from MN2PR05MB6109.namprd05.prod.outlook.com (2603:10b6:208:c4::20) by CY1PR05MB2730.namprd05.prod.outlook.com (2a01:111:e400:c60e::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5417.8; Thu, 30 Jun 2022 19:17:36 +0000
Received: from MN2PR05MB6109.namprd05.prod.outlook.com ([fe80::4881:fca5:fcdb:72ad]) by MN2PR05MB6109.namprd05.prod.outlook.com ([fe80::4881:fca5:fcdb:72ad%6]) with mapi id 15.20.5395.014; Thu, 30 Jun 2022 19:17:35 +0000
From: John Scudder <jgs@juniper.net>
To: Giuseppe Fioccola <giuseppe.fioccola@huawei.com>
CC: The IESG <iesg@ietf.org>, "draft-ietf-6man-ipv6-alt-mark@ietf.org" <draft-ietf-6man-ipv6-alt-mark@ietf.org>, "6man-chairs@ietf.org" <6man-chairs@ietf.org>, "ipv6@ietf.org" <ipv6@ietf.org>, "bob.hinden@gmail.com" <bob.hinden@gmail.com>, "otroan@employees.org" <otroan@employees.org>
Subject: Re: John Scudder's Discuss on draft-ietf-6man-ipv6-alt-mark-14: (with DISCUSS and COMMENT)
Thread-Topic: John Scudder's Discuss on draft-ietf-6man-ipv6-alt-mark-14: (with DISCUSS and COMMENT)
Thread-Index: AQHYiL/hlYNnfeM+4UGZijXt9f1EmK1jjmwAgATMLgA=
Date: Thu, 30 Jun 2022 19:17:35 +0000
Message-ID: <23549C38-4410-444C-BF02-6FBF16A8F5B9@juniper.net>
References: <165618105650.35108.7989371160326579064@ietfa.amsl.com> <718cc820610146f6b3b4803ed0f232a7@huawei.com>
In-Reply-To: <718cc820610146f6b3b4803ed0f232a7@huawei.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3696.100.31)
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 5d324e21-1c89-4376-daf4-08da5acd30ae
x-ms-traffictypediagnostic: CY1PR05MB2730:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: ZZ5hbwTNtEvMyBkPY3omSqfKLB3sQ9NLkA7yvxE94CUaTpq04bBgRH9cb0ZIYB0v59dRU6aqpEzdORkqpYmOL2+tnJiPBJpzrLGSatJUVsaYjF7mtFj0iFeU9JD3TEP5qFopaiEWOqvZaSf4Rf1DRCNFROVQwScVyiJ3JfrjlGD0cFXWGH/WSVtpsDFZDU57EkdIPEHQxBBm3ZVI6RStiffmpxQObJVqva6gpJS3zqvWhwMQUtrmuvsXFU1FacQkVPaqVl77Z0Cex/cuK8ouRJVpehnto1Vcm7UZdOZuuYDMN7x4QyS8zMlE77qY6UZrrVSw4SArBzciMDAIADGM/IJ/kn0zyV2xqFpXi1EB1gk01ojd98eSWF1fMNaiw6XXiRSMOjnWRd3OgeOyEl4neHuWEqMIjkDqwZ+/EiLFO9gKBW8gb++QMa8KM5N9fIL+v/CAg2+aqhJ85ASsd8WZv0HcDPKp6jgA85+xqaDpCkKYm4r/UvYtvfILl1Gzk9BJlgN2r5Z0eKbhzUsjR9rA5PAs01mDmq9kMO3Ddl8MVAG3W+KbT3929L3vhJuoNPE1nDQpvBSLPBsOki221uQqm+Z+qxzJW3F3yMVdBP63fj0M80dtDEWkjJC+31xRzWVlU8su0B9UaTeFV3KKVfAgjMdUfenDussyVx7CvGfps8UwK36yWGjgLlMPJyPi+au7brLclpqikdaNCKrVZwSiAo028Z3SXnmuWwZO/pjjzaAPdTFmKybIbJn2dWGSy/GzvBULDPiopnzFZwaTz9HCB2Wdf9qWj2K6SrDVmRSRSxqzI08lZOP4c8vLHxczjEnjaXo66IRNmF6dBOWM8CpWvaURnpnEiE2BY1pygH8Jrk5gmTE18MBLo+KlaVpGo/IqxI7SrEWECyvuN4+Rrx/iFQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR05MB6109.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230016)(4636009)(376002)(136003)(346002)(396003)(39860400002)(366004)(38070700005)(41300700001)(91956017)(76116006)(64756008)(66446008)(66556008)(66476007)(66946007)(8676002)(2906002)(4326008)(6506007)(71200400001)(478600001)(5660300002)(53546011)(33656002)(122000001)(86362001)(2616005)(8936002)(6486002)(6512007)(186003)(38100700002)(83380400001)(6916009)(54906003)(316002)(36756003)(26005)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: VzjDNbVluokUPzC8IPo/e4lm3j1D99mDS4zfNaN5aBWOKZDUi2EWu8KFXqZ3GF9VlrBlKTjDsX83IZpZ8HArhAWBJYhltmEEnSXMgCCo9MFQxQtMLdbnI5t30nwEsWNBdzOdq3xdjeH456+fhUhCfafjRA43hyuXHvibvYHGN49XugDusOojWg15dCkrGGsgtOZWKjWSJXYKVIfW++KyCf2M1jfJahizyEGD6f2/5YA9kC+2lqq5rKZjGzM9ZL8ndnmvs7vXjp323VLSiCtK7enIlCIkOnnfTAKw10PLi/wwXlRzkLRDxKF98KB7jyOBLX8FDNOd+jY2tPj+e0SldkPe8bToLFZsRCIDGvVB5dcG90JIx9oquGPQu9RPw9Mu5pDblmd7jXO5Xfecc0AtfBjb6Vcn+SqmiAyJl+K7PSKKJmisHg8Y7NxWMYeHV+fbfoepr1U8V1m6gAGGzS4K9svwyuWkTlB8Z3UfkEsZImvAL+enax6nKTH+1KnT+QUQdCau8jiwdTcIV6DVtXik+VsOAZRmp9UNcOWVre+ZHrd5xuv/Wi62o0fr9MYLbPKC16T3GVn5g65+R097g+hsisYAwKSlETuk4N1vnpgv5trKVrA4IhNC/uYrjuPn9g5PC49ffkCb+oScQX8FZu8OMjnu9oGFJmOCZv15k5kvQJovZdA2QEYYDM3s1zk0DkrrGaNk+mVeIj7t3T7f9SK3DYYVAy1JvQ9iNUNSF/F5UDtQgat52GQ7MPA9GtjdIqpZEGwE0Cs1STSa3l0Nl745TbYklnL/XDWc7MJYPn1Jf6P3RDYt5jnFi4KkOYtH8IHYyvj4W1TOzwTtw2uayxCyGkk02msGv9yoIqcOcC2VN6tQDxw2htYb+wRpVVZVCpg+tRUaPTw0PvtecDEfz+5e1w3rhdNWiS39SLUZXWMrM7NYVqsqG6GXBeu7WZ46R/0rJeR8TwUiqgjcnHZEZEMYR0ZL5Hyt3+1EzOh1ncpAKnpP/G6wDKfm4H4FWWGdbVX6OssC7U8seWzSGIch3AXHx1Y44UW7VvLgsxQqUlRVNM+jLTMw6mGI07gSnqkpG018J6dw/2FnXzKcTDfX0f0iTgm12Q3zeVII7k7XPUTBBlikYO2XKGDH43JL0CQN63LcMdT6Awqo5E2xhrMNobM+TFs6IJev7wmxJ4G8oJkLREu194fLsivnRwtKjo3mVf8A52lKSpFakwtSSCD8hphqoU/QlAb75k0SDRhP6fsxqYgu8H5SE2MT4r8LALC7oyv+QfOqz2+evC/tRANQWxnIrvv0r0AIyEE52DXAZlZa+yjTXPMjsP+6nsWCbcCmlmVOrBgw1/Yd0ZaLQPN7Pu3h+6U2nivjH21HXrTTO4pxAxXaOPlMxWcABr9ex7NoxUExyuSbT3YXaotaxcKIR4nDPHivh/aXw1wLvoYlIDjWyWWRN/8TDtd8uEOxansaNGEFpNZ1e+754mtUv2pIuLSMSrL1RKkCXbFQcyIWYSbISN6HVYPf2gDK45lZEAs57inOmWyfXHYNzisGgoRv7yJZvMHiblL8QqoEuYGczdDNPrV6X1KAWPRYrat+VhUMJLbz
Content-Type: text/plain; charset="utf-8"
Content-ID: <784B5DA09D68914CBF44B0F3091A346F@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR05MB6109.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5d324e21-1c89-4376-daf4-08da5acd30ae
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Jun 2022 19:17:35.7282 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: VvlFN95qGAK6NqpPT6vpX+1oAXc9rQdO8Lbj3R3O/SDiU7v8eCnShiM5WFvDLUyI
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR05MB2730
X-Proofpoint-ORIG-GUID: SQqdPC6wq32GZpMncir64Cv5aO7tyN3l
X-Proofpoint-GUID: SQqdPC6wq32GZpMncir64Cv5aO7tyN3l
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.883,Hydra:6.0.517,FMLib:17.11.122.1 definitions=2022-06-30_12,2022-06-28_01,2022-06-22_01
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 mlxscore=0 suspectscore=0 malwarescore=0 mlxlogscore=999 impostorscore=0 lowpriorityscore=0 spamscore=0 priorityscore=1501 adultscore=0 bulkscore=0 clxscore=1015 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2204290000 definitions=main-2206300073
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/BsPuIjL-qUqvekzqN3isU41W7CI>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jun 2022 19:17:56 -0000

Hi Giuseppe,

I just started looking at version 15, and bumped into something I wanted to raise right away instead of waiting to complete my review of all the updates.

> On Jun 27, 2022, at 2:01 PM, Giuseppe Fioccola <giuseppe.fioccola@huawei.com> wrote:
> 
> 2. From what I understand of the rules about IPv6 extension header insertion
> (viz, only end nodes can do it), plus the assumptions stated in §2.1.1 about
> the extent of the "controlled domain", it would seem a natural consequence
> that ipv6-alt-mark is only applicable to networks where user traffic enters and
> exits a tunnel at the perimeter of the "controlled domain". I don't see this
> stated plainly anywhere in the document. If I'm correct this seems like an
> important characteristic to spell out. If I'm incorrect, I'd appreciate a
> discussion of where I went wrong.
> 
> [GF]: Yes, it is correct. This is a requirement based on the security concerns raised. I think we can highlight better this point in the Abstract and in the Introduction so it becomes clearer.

It looks like these are the lines you inserted to address this point:

In the Abstract,

                    According to RFC 8799, the IPv6 application of the
   Alternate Marking Method can be deployed in a controlled environment.

and in the Introduction:

   [RFC8799] discusses the use of the IPv6 Extension Headers as a
   typical limited domain solution.  Thus, the Alternate Marking Method
   MUST be applied to IPv6 only in a controlled environment, as further
   described in Section 2.1.  

I see two difficulties with this approach.

First, RFC 8799 is an Informational document published on the Independent Submission stream. Not only does it have no prima facie normative value because it’s Informative, it doesn’t even reflect IETF consensus; it is in short not an IETF document at all. So, while it may be interesting to read and if you want to refer the reader to it for specific points of information or elaboration, it’s not useful to refer to it as an authority, as you seem to be doing (“according to… can” and “thus” both suggest you’re relying on 8799 as a source of authority).

Second and more important, the new text doesn’t actually elucidate the point I had difficulty with while reading the document. To demonstrate something that might, I was thinking of something generally like this:

OLD:
   Therefore, the IPv6 application of the Alternate Marking Method MUST
   be deployed in a controlled domain.  It is RECOMMENDED that an
   implementation filters packets that carry Alternate Marking data and
   are entering or leaving the controlled domains.

NEW:
   The IPv6 application of the Alternate Marking Method MUST be deployed
   in a controlled domain. The consequence of this requirement is that
   it will typically only be applicable in an overlay network, that is,
   in the case where user traffic is encapsulated at one border of the
   domain and decapsulated at the other border, and the encapsulation
   includes the relevant extension header. The only exception would be
   if the user traffic originates and terminates within the controlled
   domain — but in practice this will not be common, see Section 2.1.1.

   An implementation MUST filter packets that carry Alternate Marking
   data and are entering or leaving the controlled domains.

That is just text I wrote off the top of my head as a guideline, you can use it, adapt it, or propose something different as you see fit. Then, if you also want to update your Abstract and Introduction, what I would have found helpful there is something like “the Alternate Marking Method will generally be deployed as part of an overlay network.” (But I don’t think this is required.)

By the way I also suggested changing SHOULD to MUST in the final sentence, because really, under what circumstances is it OK to *not* filter alt-mark at the borders and if you don’t, can you still call it a “controlled” domain? Indeed not mentioning this was an oversight in my earlier review.

Regards,

—John

v2.23.0 | Report a Bug | By Email