IETF Logo Mail Archive

Re: I-D Action: draft-ietf-6man-ipv6-alt-mark-07.txt

Stewart Bryant <stewart.bryant@gmail.com> Thu, 22 July 2021 14:43 UTC

Return-Path: <stewart.bryant@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E35923A48CF; Thu, 22 Jul 2021 07:43:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I2E8Gkwf-iXR; Thu, 22 Jul 2021 07:43:25 -0700 (PDT)
Received: from mail-wr1-x435.google.com (mail-wr1-x435.google.com [IPv6:2a00:1450:4864:20::435]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 40FCC3A48CC; Thu, 22 Jul 2021 07:43:25 -0700 (PDT)
Received: by mail-wr1-x435.google.com with SMTP id c12so6215730wrt.3; Thu, 22 Jul 2021 07:43:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=4yaoQq5ldxHOpRGBgL7k62aoaU5i1rmQawy/ii10tcU=; b=ptzW/PO9VbBfxYISmLinYLK2nOTaXFulfcGxo8e112Ctho+KQ4wHIbwis45Qv+fgm9 315SFilHpvn8h7F1A+KGqosl/i9DsuFNNq6Dl4RTe1H6otALzV1i4DXW6+eABjyvKQiu FtsGE6fSw1hTGXgX6YhCUTzPtJByE/8gsPl2mButo9qAb7PdNDb7nAKjZhFsU0tlCBJM U6BAQpmZTFbMgethmXAnxTslxjJvwTBt8ZFBjNcfpOuJoJ3LtT5hh30ig4vk+LPUVjXO KWVch9KTtVmVi8+6xMfMiGnmQYzfXRdYex5eaYADgD9DGr86VcpVnHSxle1FYgup3DOM p2rw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=4yaoQq5ldxHOpRGBgL7k62aoaU5i1rmQawy/ii10tcU=; b=o9xDEUSXfK/P3z11lDS9EFMdxMQPStomxLRR2CICVu6NYY7tnLvVY3UtS9ATDjW2NL BQ8hl3aGiU0a158jYLLBv1SE0bjMdrItnVz4eMuvJmX8Pd7ZLeIoE7Z5amgUFq8XkRck y4oNH5wCdcO+tk13Zhc7Thj655uEjtfSb46a4V4ySzQeg+ysqCrSs7DJaqAH38Z/C5vh IdcOHa2W1trKnJhyU8wJVWBrxAjECs7NYwOHdS9fSliPy+h8LjjVHbWGcVvjk+xxoxjg WRxJegJgEEU1FftN6Xh2xYpRb4+RSHFEZ+yp9c/Yapx302+n3BSpyGhHIL5UWQBiJoir 3DVQ==
X-Gm-Message-State: AOAM530BM3S5kuyJweK63W+QJCHbw4DilkQd4BE4ScGNApzL36oH2PBd v4qoOD9ymsfqOZSZOBHw7iDsERp8BPI=
X-Google-Smtp-Source: ABdhPJzIkEfYbQF45HXE4k7xITfqzg5pYbxrTxa3n96561Sy/ZPnJ1Qwp+DNbcolZbN4RBb80RCs2g==
X-Received: by 2002:adf:82f1:: with SMTP id 104mr295686wrc.306.1626965002150; Thu, 22 Jul 2021 07:43:22 -0700 (PDT)
Received: from [192.168.8.103] ([85.255.236.87]) by smtp.gmail.com with ESMTPSA id i12sm30475233wrp.57.2021.07.22.07.43.20 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 22 Jul 2021 07:43:21 -0700 (PDT)
From: Stewart Bryant <stewart.bryant@gmail.com>
Message-Id: <E395A6ED-CFD3-4388-B127-04575DBA5710@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_D5418ABF-57A5-4BB4-A7CB-A73E99F21015"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.7\))
Subject: Re: I-D Action: draft-ietf-6man-ipv6-alt-mark-07.txt
Date: Thu, 22 Jul 2021 15:43:18 +0100
In-Reply-To: <ea7246fe81b140fba42e6d202c2afc8b@huawei.com>
Cc: Stewart Bryant <stewart.bryant@gmail.com>, Erik Kline <ek.ietf@gmail.com>, Christopher Wood <caw@heapingbits.net>, Yoshifumi Nishida <nsd.ietf@gmail.com>, "6man@ietf.org" <6man@ietf.org>, "draft-ietf-6man-ipv6-alt-mark.all@ietf.org" <draft-ietf-6man-ipv6-alt-mark.all@ietf.org>
To: Giuseppe Fioccola <giuseppe.fioccola@huawei.com>
References: <162438559975.15179.9747247210680035503@ietfa.amsl.com> <9bfa6dc92ed441899d61c8c09860a460@huawei.com> <CAMGpriWyXtPZQwa-mKAGc0r1iK624mvjoqs=77akApORP7A1yw@mail.gmail.com> <ea7246fe81b140fba42e6d202c2afc8b@huawei.com>
X-Mailer: Apple Mail (2.3608.120.23.2.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/FNpgK6GcElt6K-QNBRxhJleW32w>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Jul 2021 14:43:32 -0000

HI,

Later in the text in section 6 (security) it says

As stated above, the precondition for the application of the
   Alternate Marking is that it MUST be applied in specific controlled
   domains, thus confining the potential attack vectors within the
   network domain. 


If section 2 text is weaked, it both contradicts and weakens the security assumptions.

I suppose you could say that authentication MUST be used if the protocol is deployed outside a controlled domain, but I don’t think you can let it run in the wild as is.

- Stewart



> On 22 Jul 2021, at 15:08, Giuseppe Fioccola <giuseppe.fioccola@huawei.com> wrote:
> 
> Hi Erik,
> Thanks for the input.
> I tend to agree that the condition “MUST” can be changed to “SHOULD”. I can address your comments in the -08 version.
>  
> Regards,
>  
> Giuseppe
>  
> From: Erik Kline <ek.ietf@gmail.com <mailto:ek.ietf@gmail.com>> 
> Sent: Wednesday, July 21, 2021 11:15 PM
> To: Giuseppe Fioccola <giuseppe.fioccola@huawei.com <mailto:giuseppe.fioccola@huawei.com>>
> Cc: Stewart Bryant <stewart.bryant@gmail.com <mailto:stewart.bryant@gmail.com>>; Christopher Wood <caw@heapingbits.net <mailto:caw@heapingbits.net>>; Yoshifumi Nishida <nsd.ietf@gmail.com <mailto:nsd.ietf@gmail.com>>; 6man@ietf.org <mailto:6man@ietf.org>; draft-ietf-6man-ipv6-alt-mark.all@ietf.org <mailto:draft-ietf-6man-ipv6-alt-mark.all@ietf.org>
> Subject: Re: FW: I-D Action: draft-ietf-6man-ipv6-alt-mark-07.txt
>  
> Giuseppe,
>  
> I think in S2.1 "MUST NOT" be used outside a "controlled domain" is perhaps a bit too strong.  Similarly in S6, "MUST be applied in...controlled domains" might be moderated down to "SHOULD only be applied...".
>  
> I'll note that it is possible for an AH option to be used to ensure the DstOpt variant is unmodified en route, and these two in conjunction can be used wherever desired to send such packets outside the given domain (subject, of course, to all the middlebox interference any such packet would inevitably receive -- but that's a separate issue).
>  
> On Tue, Jun 22, 2021 at 11:27 AM Giuseppe Fioccola <giuseppe.fioccola@huawei.com <mailto:giuseppe.fioccola@huawei.com>> wrote:
> Dear Stewart, Christopher, Yoshi, All,
> Please note that I just submitted a new version of the draft. It has been thoroughly reviewed to address the comments received during the Last Call.
> 
> Your inputs are always welcome.
> 
> Regards,
> 
> Giuseppe 
> 
> -----Original Message-----
> From: ipv6 <ipv6-bounces@ietf.org <mailto:ipv6-bounces@ietf.org>> On Behalf Of internet-drafts@ietf.org <mailto:internet-drafts@ietf.org>
> Sent: Tuesday, June 22, 2021 8:13 PM
> To: i-d-announce@ietf.org <mailto:i-d-announce@ietf.org>
> Cc: ipv6@ietf.org <mailto:ipv6@ietf.org>
> Subject: I-D Action: draft-ietf-6man-ipv6-alt-mark-07.txt
> 
> 
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> This draft is a work item of the IPv6 Maintenance WG of the IETF.
> 
>         Title           : IPv6 Application of the Alternate Marking Method
>         Authors         : Giuseppe Fioccola
>                           Tianran Zhou
>                           Mauro Cociglio
>                           Fengwei Qin
>                           Ran Pang
>         Filename        : draft-ietf-6man-ipv6-alt-mark-07.txt
>         Pages           : 21
>         Date            : 2021-06-22
> 
> Abstract:
>    This document describes how the Alternate Marking Method can be used
>    as a passive performance measurement tool in an IPv6 domain.  It
>    defines a new Extension Header Option to encode Alternate Marking
>    information in both the Hop-by-Hop Options Header and Destination
>    Options Header.
> 
> 
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-6man-ipv6-alt-mark/ <https://datatracker.ietf.org/doc/draft-ietf-6man-ipv6-alt-mark/>
> 
> There is also an htmlized version available at:
> https://datatracker.ietf.org/doc/html/draft-ietf-6man-ipv6-alt-mark-07 <https://datatracker.ietf.org/doc/html/draft-ietf-6man-ipv6-alt-mark-07>
> 
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-6man-ipv6-alt-mark-07 <https://www.ietf.org/rfcdiff?url2=draft-ietf-6man-ipv6-alt-mark-07>
> 
> 
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/ <ftp://ftp.ietf.org/internet-drafts/>
> 
> 
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org <mailto:ipv6@ietf.org>
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 <https://www.ietf.org/mailman/listinfo/ipv6>
> --------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email