IETF Logo Mail Archive

Re: 6man w.g. last call for <draft-ietf-6man-segment-routing-header-11.txt>

"Joel M. Halpern" <jmh@joelhalpern.com> Fri, 30 March 2018 14:51 UTC

Return-Path: <jmh@joelhalpern.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2CE06126C3D for <ipv6@ietfa.amsl.com>; Fri, 30 Mar 2018 07:51:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=joelhalpern.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nzS9WiugWE_Z for <ipv6@ietfa.amsl.com>; Fri, 30 Mar 2018 07:51:26 -0700 (PDT)
Received: from maila2.tigertech.net (maila2.tigertech.net [208.80.4.152]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F0A78124BE8 for <ipv6@ietf.org>; Fri, 30 Mar 2018 07:51:25 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by maila2.tigertech.net (Postfix) with ESMTP id D797824017F for <ipv6@ietf.org>; Fri, 30 Mar 2018 07:51:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=joelhalpern.com; s=2.tigertech; t=1522421485; bh=eYrfVl+P8FudpJAUIEPaeiWyOLeldm/dhRj6nVybFHU=; h=Subject:To:References:From:Date:In-Reply-To:From; b=bmlWScSmlhtAXU8IH1Ve0hOu6GsjB34DYV6egJBWwJcApo3xHgEA8WkQ+7JEjFncw MgtbtSpVwzpFDKh5pG3XiolvN9suh+3nWu6OqkpB/x0F1xuG/e9CqMiuTvFfu1O4B8 OPt6qga2wDA7wYi3BZLpuB/Tj7U0LoqsaBsgYKv0=
X-Virus-Scanned: Debian amavisd-new at maila2.tigertech.net
Received: from Joels-MacBook-Pro.local (unknown [50.225.209.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by maila2.tigertech.net (Postfix) with ESMTPSA id 74F7B24024D for <ipv6@ietf.org>; Fri, 30 Mar 2018 07:51:25 -0700 (PDT)
Subject: Re: 6man w.g. last call for <draft-ietf-6man-segment-routing-header-11.txt>
To: IPv6 List <ipv6@ietf.org>
References: <20160428004904.25189.43047.idtracker@ietfa.amsl.com> <FB1C6E49-81F7-49DD-8E8B-2C0C4735071B@gmail.com>
From: "Joel M. Halpern" <jmh@joelhalpern.com>
Message-ID: <523d27a3-285e-6bcf-2b07-2cd8d31b0915@joelhalpern.com>
Date: Fri, 30 Mar 2018 10:51:24 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <FB1C6E49-81F7-49DD-8E8B-2C0C4735071B@gmail.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/LAuaomaggtHRE-etteMIbJ_sf9o>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Mar 2018 14:51:28 -0000

I do not think this document is ready to be sent to the IETF and IESG 
for final approval.
There are several kinds of problems.

ECMP1: The document asserts that entropy information is put into the 
flow label.   I wish this worked.  I helped bring this idea forward 
years ago, independent of SRH.  Unfortunately, there are two related 
problems.  First, adoption appears to be low.  Second, and more 
important, there are reports from the field that doing thi actually 
breaks other things and cause packet re-ordering under some 
circumstances.  As a result, vendors are suggesting that people turn it 
off even when it is available.
ECMP2: If, with suitable analysis, we decide that this is actually safe 
to do, then the document needs to include both that analysis and clearly 
spelled out requirements that operators MUST verify that all their 
routers support this behavior and that they have enabled this behavior 
before turning on SRv6 usage.

Structure: The text in section 2.3 says "It is assumed in this document 
that the SRH is added to the packet by its source".  This is at best 
disingenuous.  It is very clear that the value of this behavior lies 
primarily in use by the network, not by the packet sources.  Claiming 
otherwise results in a document with minimal utility.  Even this 
document itself disagrees with this assertion.  Tucked into the very 
next section is text saying that "outer header with an SRH applied to 
the incoming packet".  If this behavior were a clearly spelled out 
requirement, rather than a "typically" and if the text in 2.3 were 
replaced with something realistic, then the document would at least be 
itnernally consistent and match the expected usages.

Edge filtering: The text on edge filtering does not actually state that 
prevention of packets with SRH and a current DA of an internal node is 
mandatory.  Unless it is clearly stated, the security considerations 
text as currently written is significantly weakened.  If it is 
mandatory, then again the deployment section needs to note that an 
operator needs to verify that all of his edge devices support such 
filtering and have it properly enabled in order to use SRv6.

Edge Filtering and hybrids: Other documents have talked about allowing 
external packets with SRv6 entries pointing to internal nodes (which 
means the DA upon arrival at the operator edge will be an internal node 
as I understand it).  It the intention is to permit that with 
appropriate security, then the edge filtering requirements need to be 
clear about the requirements for cryptographic validation at the edge.

Yours,
Joel

On 3/29/18 4:30 PM, Bob Hinden wrote:
> 
> This message starts a two week 6MAN Working Group Last Call on advancing:
> 
>         Title           : IPv6 Segment Routing Header (SRH)
>         Authors         : Stefano Previdi
>                           Clarence Filsfils
>                           John Leddy
>                           Satoru Matsushima
>                           Daniel Voyer
> 	Filename       : draft-ietf-6man-segment-routing-header-11.txt
> 	Pages          : 34
> 	Date           : 2018-03-28
> 
>       https://tools.ietf.org/html/draft-ietf-6man-segment-routing-header
> 
> as a Proposed Standard.  Substantive comments and statements of support
> for publishing this document should be directed to the mailing list.
> Editorial suggestions can be sent to the author.  This last call will
> end on 12 April 2018.
> 
> An issue tracker will be setup to track issues raised on this document.
> 
> Thanks,
> Bob & Ole
> 
> 
> 
> 
> 
> 
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
>

v2.23.0 | Report a Bug | By Email