IETF Logo Mail Archive

Re: I-D Action: draft-voyer-6man-extension-header-insertion-07.txt

Brian E Carpenter <brian.e.carpenter@gmail.com> Mon, 14 October 2019 19:17 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B970A120883 for <ipv6@ietfa.amsl.com>; Mon, 14 Oct 2019 12:17:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 16BWJvq5x3IH for <ipv6@ietfa.amsl.com>; Mon, 14 Oct 2019 12:17:08 -0700 (PDT)
Received: from mail-pf1-x435.google.com (mail-pf1-x435.google.com [IPv6:2607:f8b0:4864:20::435]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 229E112087B for <ipv6@ietf.org>; Mon, 14 Oct 2019 12:17:08 -0700 (PDT)
Received: by mail-pf1-x435.google.com with SMTP id y5so10926765pfo.4 for <ipv6@ietf.org>; Mon, 14 Oct 2019 12:17:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=03HoKirn4jP2T3bNHZdOtVP73UzQ2H57zgaD96rr5RQ=; b=mNo2An3ffRuYeAVcc+y7lkXHrh/p3J5lo8jlPm3883VOwO4TOeR0XOtx7TjRA/6HSZ wJNcohAXnsLrTBqPrWMrIebopGoPyf6w4oagik/CZZXpnP/O2b2/sNrQNalTnq2juzD1 cbWQZQbpEOHaFWqFGpC1tXyjpj9CM9wW2EBsKYuJDGL/VgPYHinhXbmhIFbSZb5cwwLb /UyIt+xBJzKPlxqaTurBz6xaHzOABFLMpK3h63mSlFDhrbe83XAuiREZ8GLbqLL4HP/6 oy5TD9Cvk7VOWZ9Jidjl7Q9k5Ydo9EYXqbchb34FJsC9zkPcgRRKOTOa7FbYeLBkYx72 l7gw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=03HoKirn4jP2T3bNHZdOtVP73UzQ2H57zgaD96rr5RQ=; b=Ju9g4VxiEqwoEbNswCa0zj2vn/jmUtj+tQvA1OikafTP6m8myAte8KvZJSKTypdE6U 0CyG7EIx4xxcapr2LOlC3urokniHJWGmJJai5qyzQ/5PspTuLIlIp8ZoiDgYlcQiKZmX t4UK2QRYT+yXxlm2qgyp0sgt548jdDsBpHmA3Ik0U03xr+4y4K571QgMK1TOgU3SIsFV YI4ohTwEEd8ke6NeCLwg4B96oJoJe3KLCxH1ApseWpQfMTAEfRr0d3pOXtn5RVy4yJ/9 rC4hqFXkpNl+qFnEdw6nlk+j5HVsxbT98Emd5uUY6n104u9AFjTf0+ZfdcVDPEURlCev 9HZA==
X-Gm-Message-State: APjAAAX2yF1tt2upivHasYg71zfiiD1Dbzh1exHPCOW2vB5Hv4WgQ3UK 5bJJiHdM2TZmDWOBucUAee7b2olj
X-Google-Smtp-Source: APXvYqxoiqCGHv7pEyx1aSuyIdLBoWgxzzdIsWNjJ1nzuKLZS5jzoDoQjmaN+bT6YrFNovZmZaIoCA==
X-Received: by 2002:a17:90a:2710:: with SMTP id o16mr37186071pje.98.1571080626787; Mon, 14 Oct 2019 12:17:06 -0700 (PDT)
Received: from [192.168.178.30] (233.148.69.111.dynamic.snap.net.nz. [111.69.148.233]) by smtp.gmail.com with ESMTPSA id e10sm24460187pfh.77.2019.10.14.12.17.04 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 14 Oct 2019 12:17:05 -0700 (PDT)
Subject: Re: I-D Action: draft-voyer-6man-extension-header-insertion-07.txt
To: Tom Herbert <tom@herbertland.com>
Cc: 6man <ipv6@ietf.org>
References: <156903961333.5092.16807379687598480151@ietfa.amsl.com> <c9702ec2-61d9-66e4-1d2c-d462eaf00f21@gmail.com> <CALx6S37TrL_SsJ3o1FqzskZ4xqyDo8AeHDhXiKpPTd2e8vP_sw@mail.gmail.com>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Message-ID: <0bca82dc-a82e-0763-c3b3-09ef7a115b4f@gmail.com>
Date: Tue, 15 Oct 2019 08:17:01 +1300
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0
MIME-Version: 1.0
In-Reply-To: <CALx6S37TrL_SsJ3o1FqzskZ4xqyDo8AeHDhXiKpPTd2e8vP_sw@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/CKYtGkXUdWfRS6H9Ng2RoRKCEa8>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Oct 2019 19:17:11 -0000

Tom,

> So RFC8200 is applicable in SR domains, limited domains, and
> the Internet. IMO, this draft is trying to justify an exception to the
> requirements and should be written as such.

Absolutely; that's why I suggested a SHOULD, in fact. I didn't raise a
related standards-wonk question: whether the draft should be tagged as
"Updates: 8200" (or "Amends: 8200" in terms of draft-kuehlewind-update-tag).

If it's going to be done, it should be explicit.

Regards
   Brian

On 15-Oct-19 04:53, Tom Herbert wrote:
> On Sat, Oct 12, 2019 at 2:58 PM Brian E Carpenter
> <brian.e.carpenter@gmail.com> wrote:
>>
>> Hi,
>>
>> I'd like to comment on this version. It is in fact a complete rewrite compared to
>> its predecessors and I thank the authors for that. The tone is now purely technical,
>> and that's a great improvement.
>>
>> It's also, IMHO, accurate in its statements about the relationship with RFC 8200.
>> In particular:
>>
>>>    Action 2 inserts an SRH in a packet within the SR domain at a node
>>>    not in the destination address, and inserts more than one SRH in a
>>>    packet.  This does not appear to be permitted by the statements
>>>    quoted above from RFC8200.  However, the restrictions above are not
>>>    applicable within the SR domain.  Every source node participating in
>>>    the SR domain expects SRH insertion, relies on it for services
>>>    provided by the SR domain, correctly processes ICMP errors, and
>>>    according to RFC8200 must process multiple SRH in the same packet.
>>
>> That statement "the restrictions above are not applicable within the SR domain"
>> is (it seems to me) a normative statement. It might be even clearer to state it
>> as such:
>>   ...the restrictions above SHOULD NOT be applied within the SR domain.
>>
> Brian,
> 
> Dissecting this a bit:
> 
> "Every source node participating in the SR domain expects SRH insertion"
> 
> That is awfully inclusive and seems to be retroactively creating a
> fundamental property of SR domains. Also, no opt out form source? I
> would expect that in most use cases, probably all in deployment today,
> the SR EH is set at the ingress node into the SR domain and describes
> the path to egress. The fact that some intermediate node might insert
> an EH could conceivably be a security issue in such deployments more
> than anything. IMO, if EH is allowed then source nodes should be able
> to opt out, or even better EH insertion should always be opt in from
> the source. If a source node wishes to enforce that no EHs are
> inserted it can do that with AH (assuming that AH were properly
> specified to interact with SRH)..
> 
> The draft also states that the source and destination are required to
> be in the same SR domain for EH insertion. This needs to be specified
> as a MUST. The obvious question this raises is: how does an
> intermediate node know that a source and destination are in the SR
> domain? I would infer that the authors are probably assuming that this
> can be done by specifying a prefix for the SR domain or maybe a
> whitelist of addresses? This is easy enough to propose, but on a
> network of even moderate scale I'm not convinced it's manageable. I
> suggest an alternative is for the source node to mark packets for
> which EH insertion is permissible (i.e. the opt in model). This could
> be done for instance by the source setting a null SR header (no SIDs)
> with a flag that indicates EH insert is permitted.
> 
> "correctly processes ICMP errors"
> 
> That presumes that correct processing of ICMP errors is well defined.
> Consider this scenario:
> 
> An intermediate node inserts an SRH with HMAC, a subsequent downstream
> node attempts to verify the HMAC and fails to verify. The downstream
> node sends an ICMP packet back to the source. What is source supposed
> to do with this ICMP error? (note this is just one scenario, the
> general case is how to deal with ICMP errors sent because of error in
> the inserted EH). There is nothing that source host can do within the
> protocol to avoid further occurrences of the error. At best they'll
> log it, but since there's no attribution so now somebody someone needs
> to track down who is inserting the EH-- in a complex network that may
> be non-trivial.
> 
> Attribution is critical. One obvious way to address this would be for
> the node inserting the EH to put its address into the SRH, but then
> that reduces the overhead savings of SR EH insertion compared to
> encapsulation to be just eight bytes (destination address in
> encapsulation is same as last address in insert SID list). IMO, it
> would be better to just do encapsulation instead.
> 
> Another hole is correct ICMP processing is reflected in:
> 
> "The SR domain ingress edge processing the ICMP error SHOULD log the
> error and decrement the ingress edge MTU for traffic traversing the SR
> domain (if it's greater than the IPv6 minimum MTU of 1280 bytes)"
> 
> Okay, but what if the source _is_ already at minimum MTU for PMTU?
> Note that SRH can be hundreds of byte and now with insertion there can
> be multiple SRHs of these is a packet, I don't think this is something
> that can be easily dismissed with the typical assumption that all
> networks can just set MTUs large enough.
> 
> "However, the restrictions above are not applicable within the SR domain"
> 
> I think the wording here is wrong for the intent of the draft. All the
> normative "MUSTs" in RFC8200 and other appropriate standards are
> applicable to _all_ use cases of the protocol. I see no provision in
> RFC8200 that its requirements, like prohibition of EH insertion, are
> conditional based on the environment in which the protocol is
> deployed. So RFC8200 is applicable in SR domains, limited domains, and
> the Internet. IMO, this draft is trying to justify an exception to the
> requirements and should be written as such. Presumably, the exception
> might be palatable if it maintains robustness, interoperability, and
> spirit of requirements of RFC8200.
> 
> Tom
> 
>>>    the SR domain expects SRH insertion
>> Clearly it's a WG question whether on not we want to put this on the standards
>> track. I hope we can discuss it as a technical question. My subsidiary
>> question is: does the description of an SR domain (here and in RFC8402)
>> provide enough security and operational assurance that this SHOULD NOT is
>> safe?
>>
> Hi Brain,
> 
> 
> 
>> Regards
>>    Brian Carpenter
>> j
>> On 21-Sep-19 16:20, internet-drafts@ietf.org wrote:
>>>
>>> A New Internet-Draft is available from the on-line Internet-Drafts directories.
>>>
>>>
>>>         Title           : Insertion of IPv6 Segment Routing Headers in a Controlled Domain
>>>         Authors         : Daniel Voyer
>>>                           Clarence Filsfils
>>>                           Darren Dukes
>>>                           Satoru Matsushima
>>>                           John Leddy
>>>       Filename        : draft-voyer-6man-extension-header-insertion-07.txt
>>>       Pages           : 13
>>>       Date            : 2019-09-20
>>>
>>> Abstract:
>>>    Traffic traversing an SR domain is encapsulated in an outer IPv6
>>>    header for its journey through the SR domain.
>>>
>>>    To implement transport services strictly within the SR domain, the SR
>>>    domain may require insertion or removal of an SRH after the outer
>>>    IPv6 header of the SR domain.  Any segment within the SRH is strictly
>>>    contained within the SR domain.
>>>
>>>    The SR domain always preserves the end-to-end integrity of traffic
>>>    traversing it.  No extension header is manipulated, inserted or
>>>    removed from an inner transported packet.  The packet leaving the SR
>>>    domain is exactly the same (except for the hop-limit update) as the
>>>    packet entering the SR domain.
>>>
>>>    The SR domain is designed with link MTU sufficiently greater than the
>>>    MTU at the ingress edge of the SR domain.
>>>
>>>
>>>
>>> The IETF datatracker status page for this draft is:
>>> https://datatracker.ietf.org/doc/draft-voyer-6man-extension-header-insertion/
>>>
>>> There are also htmlized versions available at:
>>> https://tools.ietf.org/html/draft-voyer-6man-extension-header-insertion-07
>>> https://datatracker.ietf.org/doc/html/draft-voyer-6man-extension-header-insertion-07
>>>
>>> A diff from the previous version is available at:
>>> https://www.ietf.org/rfcdiff?url2=draft-voyer-6man-extension-header-insertion-07
>>>
>>>
>>> Please note that it may take a couple of minutes from the time of submission
>>> until the htmlized version and diff are available at tools.ietf.org.
>>>
>>> Internet-Drafts are also available by anonymous FTP at:
>>> ftp://ftp.ietf.org/internet-drafts/
>>>
>>> _______________________________________________
>>> I-D-Announce mailing list
>>> I-D-Announce@ietf.org
>>> https://www.ietf.org/mailman/listinfo/i-d-announce
>>> Internet-Draft directories: http://www.ietf.org/shadow.html
>>> or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
>>>
>>
>> --------------------------------------------------------------------
>> IETF IPv6 working group mailing list
>> ipv6@ietf.org
>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>> --------------------------------------------------------------------
>

v2.23.0 | Report a Bug | By Email