Re: [IPv6] Fwd: New Version Notification for draft-xu-ipsecme-risav-00.txt
Mark Smith <markzzzsmith@gmail.com> Fri, 10 March 2023 06:40 UTC
Return-Path: <markzzzsmith@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D72FC17B32F; Thu, 9 Mar 2023 22:40:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.596
X-Spam-Level:
X-Spam-Status: No, score=-5.596 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.999, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fr775OW3nX3T; Thu, 9 Mar 2023 22:40:00 -0800 (PST)
Received: from mail-pf1-x429.google.com (mail-pf1-x429.google.com [IPv6:2607:f8b0:4864:20::429]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 517A8C17B32C; Thu, 9 Mar 2023 22:40:00 -0800 (PST)
Received: by mail-pf1-x429.google.com with SMTP id fa28so2982188pfb.12; Thu, 09 Mar 2023 22:40:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1678430399; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=P0HJr5jdcmMOOukxgFWNUG2OnC2JuOTmGBv6FHXW+SI=; b=cywK8dZFQP8xjJRFe2vtmjRlptC5seIuxZOO0DFVNujf3rOPAHRgvJBounlQhy13Dx ATFBQmbboytwRMe4/5myUQqd732tIN6oZ3luTuyMHKOy1AOg56BReuxrJJHPg3j+TSuA qfPOKnJBYFPfOdIHf6CM5g9AUNFFuTzQKYlReSmV6AsGohTgM/vYow/on4ekvnMXKPzW 6VXmni9Q2aclECW5eUxDmtXbz1Y2jGGgqu5HVUj1QUcQUi60Rx27d9weUMs73RLXqYHo E6VicHr5XaS9UdFnUuvtxBbiG89q82FDZYqAFodMF/jgF6LRnD+BJ35qvE5Xxsc4xno9 vUWw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1678430399; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=P0HJr5jdcmMOOukxgFWNUG2OnC2JuOTmGBv6FHXW+SI=; b=7LzJIgRt2ZtrophRZ7xiUeZJ9Z/HV+3rF66dRy3OtXT4N2cLZIFH4mRP/IFMLmU1GX F70BaLTOgY+WPhlX+k8ih17WciSamz7lBdq2cCoZ93xQoM/a8GbvKLLHG/7YfM+31uhr dvPOJcUWfwNWaTzVJ8lFJ7UPBs0M9lfMu/OjfH7Wb28C5Q4QUCFM1tvIn+Ci/B3Vnci5 wBcGbH3sAnvoMeEQC33qkjT+uerBrLTV8A2OxJjUvq8BC7HL1IT8KbiW8DSQRX0usIy5 zQiVgFCdbuxKcXMb9L2U5JPGVAyqyAreZsHiT/uR64DLJQVJ2r6i0gTwdGyQX8wf4Of7 bG6Q==
X-Gm-Message-State: AO0yUKUxXqVmS6hY0ZTeJW9dUwYDs1Trw5cGIZY+V8iCPk8bTD2fFvm5 4uomLXIw2+SJZz21nLOyriz4KMe8rxbmQIcgILY=
X-Google-Smtp-Source: AK7set+ry4w3I0bOqAf+pJKMHm8hczLUk1O6LF6noCXwp1snal6ammZWJdV4gktJTEAhsRcz3xkQ4lcu8GcvgE6l1AU=
X-Received: by 2002:a65:66c6:0:b0:4fc:d6df:85a0 with SMTP id c6-20020a6566c6000000b004fcd6df85a0mr8455895pgw.1.1678430399365; Thu, 09 Mar 2023 22:39:59 -0800 (PST)
MIME-Version: 1.0
References: <167820894576.52247.15048889974386886786@ietfa.amsl.com> <CAJF-iTT5f0WAu5fvEDqPR4dk_f3Qw1A5Of8EAVwbUJrkM7scpA@mail.gmail.com>
In-Reply-To: <CAJF-iTT5f0WAu5fvEDqPR4dk_f3Qw1A5Of8EAVwbUJrkM7scpA@mail.gmail.com>
From: Mark Smith <markzzzsmith@gmail.com>
Date: Fri, 10 Mar 2023 17:39:32 +1100
Message-ID: <CAO42Z2xqFWbV49_cGM6tLSRkRgcYVwLfF8xeKMsJkQSOfX3_iQ@mail.gmail.com>
To: Benjamin Schwartz <ietf@bemasc.net>
Cc: ipv6@ietf.org, draft-xu-ipsecme-risav@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/CHUvsGnJ4_brg0yE9IE1ykdOKCQ>
Subject: Re: [IPv6] Fwd: New Version Notification for draft-xu-ipsecme-risav-00.txt
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Mar 2023 06:40:04 -0000
Hi Ben, On Fri, 10 Mar 2023 at 01:37, Benjamin Schwartz <ietf@bemasc.net> wrote: > > Hi 6MAN, > > I wanted to let you know about RISAV, our early-stage draft currently being discussed in IPSECME. The draft essentially proposes a global configuration mechanism for network-to-network IPsec between ASes. Each IPsec association is "edge-to-edge", independent of any intermediate ASes such as transit providers, and is authenticated to the RPKI. > > The proposal instructs certain intermediate nodes (the AS Border Routers of the source and destination ASes) to modify packets (adding and removing IPsec protection). As explained in Section 10.1 [1], we believe that this is logically compliant with existing IPv6 standards, but we would appreciate more input from 6MAN on any problems that might arise from the proposed arrangement, or improvements we should consider. > "In-Flight IPv6 Extension Header Insertion Considered Harmful" IETF 106 slide deck - https://datatracker.ietf.org/meeting/106/materials/slides-106-6man-sessb-in-flight-ipv6-extension-header-insertion-considered-harmful-00 ID: https://datatracker.ietf.org/doc/html/draft-smith-6man-in-flight-eh-insertion-harmful-01 I'm a bit intrigued to know how people are going to do cost effective and high speed EH chain processing past the fixed IPv6 header in literally every packet being forwarded, looking for EHs it is to process, when that network device doesn't hold the Destination Address of the packet. It seems to me that it would be a much easier thing to do if the network device that is to process EHs is only looking for packets with its own DA, which is what an outer tunnel header provides. Sure, the tunnel header is network overhead, however it allows the decision as to whether or not to try to process EHs in the packet as simple as whether or not the packet's DA is local to the device or not i.e. a FIB lookup. Regards, Mark. > Thanks, > Ben Schwartz, for the authors > > [1] https://datatracker.ietf.org/doc/html/draft-xu-ipsecme-risav-00#name-ipv6 > > ---------- Forwarded message --------- > > A new version of I-D, draft-xu-ipsecme-risav-00.txt > has been successfully submitted by Benjamin M. Schwartz and posted to the > IETF repository. > > Name: draft-xu-ipsecme-risav > Revision: 00 > Title: An RPKI and IPsec-based AS-to-AS Approach for Source Address Validation > Document date: 2023-03-07 > Group: Individual Submission > Pages: 26 > URL: https://www.ietf.org/archive/id/draft-xu-ipsecme-risav-00.txt > Status: https://datatracker.ietf.org/doc/draft-xu-ipsecme-risav/ > Html: https://www.ietf.org/archive/id/draft-xu-ipsecme-risav-00.html > Htmlized: https://datatracker.ietf.org/doc/html/draft-xu-ipsecme-risav > > > Abstract: > This document presents RISAV, a protocol for establishing and using > IPsec security between Autonomous Systems (ASes) using the RPKI > identity system. In this protocol, the originating AS adds > authenticating information to each outgoing packet at its Border > Routers (ASBRs), and the receiving AS verifies and strips this > information at its ASBRs. Packets that fail validation are dropped > by the ASBR. RISAV achieves Source Address Validation among all > participating ASes. > > > > > The IETF Secretariat > > > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > ipv6@ietf.org > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > --------------------------------------------------------------------
- [IPv6] Fwd: New Version Notification for draft-xu… Benjamin Schwartz
- Re: [IPv6] Fwd: New Version Notification for draf… Mark Smith
- Re: [IPv6] Fwd: New Version Notification for draf… Benjamin Schwartz