IETF Logo Mail Archive

RE: Segment Routing Drafts

Ron Bonica <rbonica@juniper.net> Mon, 11 March 2019 19:37 UTC

Return-Path: <rbonica@juniper.net>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A7E4013104A for <ipv6@ietfa.amsl.com>; Mon, 11 Mar 2019 12:37:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.233
X-Spam-Level:
X-Spam-Status: No, score=-1.233 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, KHOP_DYNAMIC=1.468, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RlUX4Apx08Mf for <ipv6@ietfa.amsl.com>; Mon, 11 Mar 2019 12:37:31 -0700 (PDT)
Received: from mx0a-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 72762131047 for <ipv6@ietf.org>; Mon, 11 Mar 2019 12:37:31 -0700 (PDT)
Received: from pps.filterd (m0108156.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x2BJU16p001782; Mon, 11 Mar 2019 12:37:30 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=PPS1017; bh=BVu/dlp0xDEHUkrxmHwBiX5jkc0XrcP6mXgUENkFPag=; b=TnW0xgNKVA2cA5lZouoPU0uXToSYZ41zrRyygiwfSRKII9M/QLGglp68fZVo7K1PcEs1 1PkR1qPdvp2V5kpdb5BgcoGTIz8yISQ72ZtKBb+5IyFTpKNaMbBV7vZuQ0HuKfm5+Vv2 eg1opSRWRjJkGl96gH6YNpl9dj+hS9kq8w7/32GgO/jHBtgkTPZlzSUyOzPJAH4JLxs3 wlSbsZ3CsQcT1iJqwrZoHMjw4uLZ3l/M6goJMy93ceAEjEEs1UIXVHidqFU52QXZvkeq Z5vK9LD68+l09MI31PL6z3Pyh94IUL7q5PM4D0bKRdMwibtB/F0dJTkjVwhlhi03fAFb Yw==
Received: from nam04-sn1-obe.outbound.protection.outlook.com (mail-sn1nam04lp2056.outbound.protection.outlook.com [104.47.44.56]) by mx0a-00273201.pphosted.com with ESMTP id 2r5tw7ra4c-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 11 Mar 2019 12:37:30 -0700
Received: from BYAPR05MB4245.namprd05.prod.outlook.com (20.176.252.26) by BYAPR05MB4808.namprd05.prod.outlook.com (52.135.235.94) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1709.11; Mon, 11 Mar 2019 19:37:27 +0000
Received: from BYAPR05MB4245.namprd05.prod.outlook.com ([fe80::3937:23f4:f61c:a2f8]) by BYAPR05MB4245.namprd05.prod.outlook.com ([fe80::3937:23f4:f61c:a2f8%5]) with mapi id 15.20.1709.011; Mon, 11 Mar 2019 19:37:27 +0000
From: Ron Bonica <rbonica@juniper.net>
To: Fred Baker <fredbaker.ietf@gmail.com>
CC: Brian E Carpenter <brian.e.carpenter@gmail.com>, IPv6 List <ipv6@ietf.org>
Subject: RE: Segment Routing Drafts
Thread-Topic: Segment Routing Drafts
Thread-Index: AdTPHHL7zIt/GfFUSqCpr/o691l9fQBYUu+AAAQXaAAA8tEnIABP3kSAAKouO9A=
Date: Mon, 11 Mar 2019 19:37:27 +0000
Message-ID: <BYAPR05MB424556E329B5570EA860AF41AE480@BYAPR05MB4245.namprd05.prod.outlook.com>
References: <BYAPR05MB424560001F76E403A33B94E7AE750@BYAPR05MB4245.namprd05.prod.outlook.com> <341A6C5C-3670-4C8F-A8CA-C80182AC1F3C@gmail.com> <7dffddcd-a810-764e-3929-01d7b400c410@gmail.com> <BYAPR05MB4245B33085E23BD17F6A04A4AE730@BYAPR05MB4245.namprd05.prod.outlook.com> <22FD7499-FE4C-46C9-AD90-D5BE193668CF@gmail.com>
In-Reply-To: <22FD7499-FE4C-46C9-AD90-D5BE193668CF@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.1.100.23
dlp-reaction: no-action
x-originating-ip: [66.129.241.13]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 81b7bf61-86f7-45b9-1b3f-08d6a658fea3
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(4618075)(2017052603328)(7153060)(7193020); SRVR:BYAPR05MB4808;
x-ms-traffictypediagnostic: BYAPR05MB4808:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <BYAPR05MB480825EF36D0EA7ADCE507E7AE480@BYAPR05MB4808.namprd05.prod.outlook.com>
x-forefront-prvs: 09730BD177
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(376002)(346002)(366004)(136003)(39860400002)(396003)(189003)(13464003)(199004)(51914003)(186003)(5660300002)(74316002)(52536013)(305945005)(6436002)(54906003)(6246003)(68736007)(26005)(102836004)(53546011)(6506007)(2906002)(81156014)(8676002)(66066001)(81166006)(7736002)(3480700005)(11346002)(446003)(6116002)(3846002)(6306002)(9686003)(93886005)(55016002)(7696005)(316002)(99286004)(76176011)(486006)(476003)(53936002)(71190400001)(71200400001)(8936002)(256004)(14444005)(6916009)(106356001)(86362001)(105586002)(33656002)(966005)(14454004)(97736004)(4326008)(478600001)(7116003)(229853002)(19627235002)(25786009); DIR:OUT; SFP:1102; SCL:1; SRVR:BYAPR05MB4808; H:BYAPR05MB4245.namprd05.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: qPQturop4G/rnK6rE9h3hkpQbiauEezl//Dqvj0c/42O/FpqRSD8/TWHaNvidSFxHfOyegv/jA3clmEF6RwmRi7wHVltZy/V+bp8w+ohr+9huTuEEVktaAD8o9RnBVmEUovU4/pyGyjQNiR+U/01TPED3H48LZnspHrx9QdKwhPnoJTLhRqZhNp0omjeEZ09DEsLoNX3vdYWzxyBDBMF4n8NUDQzUp/HY9J8/c2cu/nCqHj/n4eeaYrXrM5EMpyeSbret9NEenSRvr3fgzUyxCX58WCzCg5F5HSU12Z4a5FpIqmDk3BIPITOgURT0dxltd2xeg3wooC5YQ+hIHJ5E0Z7Bu8Z9qbayru5PB/f9l/o6uPlM88rYVVsusx4MiDJE+Tg1vnwyVVXTDXbH32lGY65lOcP+fup1xR+EBKLrhU=
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: 81b7bf61-86f7-45b9-1b3f-08d6a658fea3
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Mar 2019 19:37:27.7267 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR05MB4808
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-03-11_14:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1903110135
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/1lM8QfOZdvBVgG8nBuKkf8EogH0>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Mar 2019 19:37:33 -0000

Fred,

Look for this in the next draft version.

In the case of counters, the counters would be dumped periodically or on command. But the command would not come from the forwarding plane. It would come from a network management station.

                              Ron


> -----Original Message-----
> From: Fred Baker <fredbaker.ietf@gmail.com>
> Sent: Friday, March 8, 2019 5:23 AM
> To: Ron Bonica <rbonica@juniper.net>
> Cc: Brian E Carpenter <brian.e.carpenter@gmail.com>; IPv6 List
> <ipv6@ietf.org>
> Subject: Re: Segment Routing Drafts
> 
> Having it generally useful is a plus. What would help me is a vision, probably a
> few paragraphs, about how it is expected to be used. For example, I would
> presume that the target system is expected to maintain some counters and
> dump them on command. Thinking through the security implications, so now I
> have a flood dumping those counters, and I can determine which systems
> seem to be seeing a lot of traffic. They might be interesting targets...
> 
> > On Mar 7, 2019, at 5:23 AM, Ron Bonica <rbonica@juniper.net> wrote:
> >
> > Brian, Fred,
> >
> > Thanks for these comments. The Security Considerations Section has been
> rewritten as follows:
> >
> > " The OAM option can also be used in denial of service attacks. Network
> devices SHOULD protect themselves against such attacks by limiting the
> number of OAM options that they process per unit time. If the rate limit is
> exceeded, the network device MAY either discard the packet or continue to
> process the packet, ignoring the OAM option."
> >
> > While the OAM option offers an alternative to the SRv6 OAM bit, its
> applicability is not restricted to SRv6. It is applicable in any IPv6 packet.
> >
> >
> > Ron
> >
> >
> >> -----Original Message-----
> >> From: Brian E Carpenter <brian.e.carpenter@gmail.com>
> >> Sent: Friday, March 1, 2019 7:23 PM
> >> To: Fred Baker <fredbaker.ietf@gmail.com>; Ron Bonica
> >> <rbonica@juniper.net>
> >> Cc: IPv6 List <ipv6@ietf.org>
> >> Subject: Re: Segment Routing Drafts
> >>
> >> On 02-Mar-19 11:25, Fred Baker wrote:
> >>>
> >>>
> >>>> On Feb 27, 2019, at 8:22 PM, Ron Bonica
> >> <rbonica=40juniper.net@dmarc.ietf.org> wrote:
> >>>> -
> >>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__datatracker.ie
> >>>> tf
> >>>> .org_doc_draft-2Dbonica-2D6man-
> >> 2Doam_&d=DwICaQ&c=HAkYuh63rsuhr6Scbfh0
> >>>> UjBXeMK-ndb3voDTXcWzoCI&r=Fch9FQ82sir-BoLx84hKuKwl-
> >> AWF2EfpHcAwrDThKP8
> >>>> &m=fA-
> >>
> M3FuAMPPT1Vz39C2CSoahbM305dnBjaZxsUnSkw8&s=UrTODtxAc6CDYfNq
> >> asws
> >>>> GetVveWmZuh3Iy5UCVRnOxc&e=
> >>>
> >>> I read this draft, and was immediately puzzled. The OAM option is
> >>> useful if
> >> and only if it is implemented and configured, and (per the security
> >> considerations) is a reason the packet should not be permitted to
> >> enter aa subsequent network.
> >>
> >> The text is confusing. It says:
> >>
> >>   Network operators should block packets containing these extension
> >>   headers at their boundary.
> >>
> >> I hope that that is meant to say:
> >>
> >>   Network operators should block packets containing the OAM option
> >>   at their boundary.
> >>
> >> Because clearly it is way out of scope for this draft to address
> >> firewall recommendations in general (which anyway are covered by
> >> draft-ietf-opsec- ipv6-eh-filtering, currently "Waiting_for_AD_Go-Ahead").
> >>
> >>> As such, it is only useful on a small subset of the systems it
> >>> encounters, and
> >> only in the originating network.
> >>>
> >>> Am I reading this correctly?
> >>
> >> Well, if it is intended as part of the segment routing specs, that
> >> needs to be stated in the draft. If so, it presumably inherits the
> >> property of segment routing that it only works within a Segment
> >> Routing Domain
> >> (https://urldefense.proofpoint.com/v2/url?u=https-
> >> 3A__tools.ietf.org_html_rfc8402-23page-
> >> 2D6&d=DwICaQ&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-
> >> ndb3voDTXcWzoCI&r=Fch9FQ82sir-BoLx84hKuKwl-
> >> AWF2EfpHcAwrDThKP8&m=fA-
> >>
> M3FuAMPPT1Vz39C2CSoahbM305dnBjaZxsUnSkw8&s=Bg0e57opW73bkN5
> >> KGBqF0IB31ou5hvoNF9hvaf6HKSM&e=)
> >> and the OAM option would be blocked at the domain boundary.
> >>
> >> Which is one of the motivations for draft-carpenter-limited-domains,
> >> of course.
> >>
> >>    Brian
> 
> --------------------------------------------------------------------------------
> The fact that there is a highway to hell and a stairway to heaven is an
> interesting comment on projected traffic volume...

v2.23.0 | Report a Bug | By Email