IETF Logo Mail Archive

Re: All IPv6 fields are now mutable (Re: Typo correction Re: Question from SPRING regarding draft-filsfilscheng-spring-srv6-srh-compression)

Brian E Carpenter <brian.e.carpenter@gmail.com> Sun, 17 October 2021 22:22 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 93FBB3A139E; Sun, 17 Oct 2021 15:22:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YA_AqNNstgTH; Sun, 17 Oct 2021 15:22:50 -0700 (PDT)
Received: from mail-pj1-x1032.google.com (mail-pj1-x1032.google.com [IPv6:2607:f8b0:4864:20::1032]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 590643A132B; Sun, 17 Oct 2021 15:22:45 -0700 (PDT)
Received: by mail-pj1-x1032.google.com with SMTP id ls18-20020a17090b351200b001a00250584aso13142553pjb.4; Sun, 17 Oct 2021 15:22:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=TxucyUoMXjFTuNZ273Ce/aux0mxSPObdLCP743qHd08=; b=oEEhsWniWYZoh9yivZY8/OcRCdcp26m5F+pEBjlYhIgyBjQ3RPbZ7ja/WJ/qZ/bYNf mEBig7fy4ssRRYsmlquy6OnbUpVGowZe1B7uy5Hys0naSScrR3gc71RSrbrguVBMYf1D LhBA43HQhuG9eKBKySs3OGG8czIWkPwULCxq+Cn8BDJXW8Q55HYG71+/Kh+MYzYydV0e Ob+BDdoQ4zEBx6bx/e4qak95j1D/MGTs4YW58mg8jc9LyM8ysYdULUALWq6bswci7+cq QZK0UoaU8sNgJKVMnZVp9elZi6yVGGEchn0EkuoYea6RokLvS0roSAgbF+OuJ8mFxnAb Hcpw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=TxucyUoMXjFTuNZ273Ce/aux0mxSPObdLCP743qHd08=; b=6QPh1LAOmpWwxBAeM/iE1jiMV2S5JilW+tPyJZ0lUBrs8SrXgxkm8LWov8UEY+Sina LkCFijWkt8qqEXM3mjhBb1IwG0uF7y0uMLivuWB4Cigw9J4u1VDqygtzhOxRg7eFvCHy hyBAeTIJ/V/JsKoFbT+t27oevrgKWt1vAjPj42HTe+QsBoSKfiG4GfbOHjGb3E8DI8ZD kofAmJ+QypppUHr+r39IgoF2W5Aq9TXiDAIMbxUqnOmokwXi7sjsnUU5rSn2ejdMgz1E fQGE7x1oMGJ3kt5I4euwkO5y9JTU8wrJmcsYDpwRl3D/cjFlE0+Cgako3qhtiMvT+aok oVOw==
X-Gm-Message-State: AOAM531HHebolqc2DI+5tiNLPywUl8Gi80QtiDIV4Gg4CS2zpv8mcqCm vxDKUv8CCPmKBarusR9K/e5S822UupcFYg==
X-Google-Smtp-Source: ABdhPJzlPghXa+2J+oAhZu7PEdAaYPB7cIas34yhZGhpzQlggwV635yY867b5Y2N7TMWhd4eJS6gKQ==
X-Received: by 2002:a17:902:ea0d:b0:13f:2b62:adeb with SMTP id s13-20020a170902ea0d00b0013f2b62adebmr23555373plg.1.1634509364308; Sun, 17 Oct 2021 15:22:44 -0700 (PDT)
Received: from ?IPv6:2406:e003:102d:e801:db7:d041:a2d:ce65? ([2406:e003:102d:e801:db7:d041:a2d:ce65]) by smtp.gmail.com with ESMTPSA id a22sm10991006pfg.61.2021.10.17.15.22.41 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 17 Oct 2021 15:22:43 -0700 (PDT)
Subject: Re: All IPv6 fields are now mutable (Re: Typo correction Re: Question from SPRING regarding draft-filsfilscheng-spring-srv6-srh-compression)
To: Tom Herbert <tom@herbertland.com>, Mark Smith <markzzzsmith@gmail.com>
Cc: SPRING WG <spring@ietf.org>, 6man WG <ipv6@ietf.org>, Michael Richardson <mcr@sandelman.ca>
References: <85fddbe9-4eb8-7d90-d246-a888fe8bdcd3@joelhalpern.com> <139d72fd-98de-f46a-767f-6a493c4facc9@joelhalpern.com> <1396_1634278622_61691CDE_1396_28_5_787AE7BB302AE849A7480A190F8B93303542C654@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <CAO42Z2wvKNyYeKAZdVOh2c8G95JZuhgxumNixMWWsK9u_QDRTQ@mail.gmail.com> <1101.1634412958@localhost> <CAO42Z2yFMjPhQFrJH2eJWpYZpiM4gDS_hAEDUVj4aJO-UyTxSg@mail.gmail.com> <CALx6S34G6a1DOWNfZxZ=XjYjFxR-kOPMMMLeQ18woUhrqwLUWQ@mail.gmail.com>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Message-ID: <5bbcf175-10a7-4839-b968-eea0a0ad8a1b@gmail.com>
Date: Mon, 18 Oct 2021 11:22:40 +1300
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.10.0
MIME-Version: 1.0
In-Reply-To: <CALx6S34G6a1DOWNfZxZ=XjYjFxR-kOPMMMLeQ18woUhrqwLUWQ@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/EZZz1g2Mb3PJDTXe96DLRA7it3A>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Oct 2021 22:23:03 -0000

On 18-Oct-21 09:39, Tom Herbert wrote:
> On Sat, Oct 16, 2021 at 4:59 PM Mark Smith <markzzzsmith@gmail.com> wrote:
>>
>> On Sun, 17 Oct 2021, 06:36 Michael Richardson, <mcr@sandelman.ca> wrote:
>>>
>>> Mark Smith <markzzzsmith@gmail.com> wrote:
>>>     > In fight changing DAs also will break AH protection of the IPv6 header.
>>>
>>> AH is dead. It's been dead for decades.
>>> I say this as an IPsec enthusiast who wishes this wasn't true.
>>> But it is.
>>
>>
>> Then all IPv6 field immutability while the packet is in flight is also dead.
>>
>> "Controlled domain" == redefine any field, field semantics, and field
>> processing we like in an existing protocol, yet claim we're still
>> using the original protocol.
>>
>> That has been tacitly endorsed via standards track RFC8986. The Next
>> Header field is not supposed to be modified in flight per internet
>> standard RFC8200, yet standards track RFC8986 specifies the behaviour
>> via PSP.
>>
>> This SRH compression ID is redefining the IPv6 DA field semantics. It
>> encodes multiple network hop destinations in the single IPv6
>> destination address field.
>>
>> Structured Flow Label -
>> https://datatracker.ietf.org/doc/draft-filsfils-6man-structured-flow-label/
>> is redefining the IPv6 flow label field.
>>
>> This will be an operational nightmare in the future, when there are
>> multiple applicable RFCs that conflict with each other. I don't want
>> to have to spend time getting into arguments with vendors about which
>> protocol variant RFC their implementation should or shouldn't have to
>> comply with while I have 1000s, 10s or 100s of 1000s of customers
>> off-line.
> 
> Mark,
> 
> I think you might be lumping together several disparate proposals in
> your general claim that "IPv6 field immutability while the packet is
> in flight is also dead".
> 
> When SRH was under discussion in 6man there was a lot of work to
> define which fields were immutable and that is described in RFC8754.
> Those definitions are sufficient to specify proper interaction between
> SRH and AH, however RFC8754 knowingly breaks AH as that handling was
> not specified. Some of us did object to that, but I suppose expediency
> to publish the protocol won out. Nevertheless, there is nothing that
> prevents someone from properly defining AH usage with SRH.
> 
> As for the IPv6 destination address, it was never defined to be an
> immutable field inflight. In fact, the core operation of a routing
> header is to overwrite the destination address at each intermediate
> destination. NAT also changes the DA in flight, but there is a
> significant difference between NAT and the routing header header
> operation: when a routing header is set in a packet the sender knows
> and indicates the destination address. For the purposes of AH or
> transport checksum, both the sender and final receiver use this
> address-- there is no ambiguity and the fact that the destination
> address is mutable in flight doesn't adversely impact end to end
> protocol operations that operate on the addresses.
> 
> We have seen various proposals to steal bits or redefine flow label
> fields, but IMO it's unlikely any of those will ever get consensus.
> Hosts routinely set the flow label as an unstructured value, and
> redefining flow label semantics would be a massive retroactive change
> in deployment. I would point out though, that the flow label is
> technically not immutable in flight, RFC6437 allows it to be modified
> by intermediate nodes for "only for compelling operational security
> reasons".

Correct, because it was very clear that some firewalls were going to
clobber it whatever we wrote. So we tried to describe behaviour
that would not nullify the usefulness of the field for stateless
load balancing.

As for draft-filsfils-6man-structured-flow-label, the problems in https://mailarchive.ietf.org/arch/browse/ipv6/?gbt=1&index=qrTou1rjtNDDchE5yFfSN31pkMc
remain unsolved.

   Brian

v2.23.0 | Report a Bug | By Email