IETF Logo Mail Archive

Re: Limited Domains:

Robert Raszuk <robert@raszuk.net> Fri, 16 April 2021 21:42 UTC

Return-Path: <robert@raszuk.net>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96E473A3720 for <ipv6@ietfa.amsl.com>; Fri, 16 Apr 2021 14:42:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=raszuk.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EZsWe0VaEcLq for <ipv6@ietfa.amsl.com>; Fri, 16 Apr 2021 14:42:45 -0700 (PDT)
Received: from mail-lf1-x133.google.com (mail-lf1-x133.google.com [IPv6:2a00:1450:4864:20::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0BCFA3A371F for <6man@ietf.org>; Fri, 16 Apr 2021 14:42:44 -0700 (PDT)
Received: by mail-lf1-x133.google.com with SMTP id n8so47016179lfh.1 for <6man@ietf.org>; Fri, 16 Apr 2021 14:42:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=raszuk.net; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=md9i2tZJrjgjX/TxFSjnuQ8r/cSq90JqTBZj3i+mlUU=; b=fKIy55UxkqOZTvUftSVwcf3jHjUs6707y7qtCL2D0HovIfZ5LlX3kFONnB1p0xGAe8 ZAvI36MZMukw6XUdBcKbaoETd5Y4s81tBb8OWw18b/KTqiOFrhRHNzJjuDxZED/e7uDK qZukyxnqcJ48q4XAz1Z8FIus7fPCPCU6MX9jNdudIqRrFVWHAuzEmAJ6HtHPCLqSBvD5 Ve2NoJsbq1euuFlb6oLBcoFlOYSFYXgcqD6f54AooDnobd74VhR2CMiGftPFng9tj3VC X5+KdKtpPoLuAssB0yI79nvHHmxYXaXM7k4cLdUrfgZSacAPG54kLC3ou9Jyq0ehMVwG YloA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=md9i2tZJrjgjX/TxFSjnuQ8r/cSq90JqTBZj3i+mlUU=; b=KtmGtP3u7vpYlgU/sij8tltCDO/VCq9DyNY2mUt5EFYpOHhaql8PUyIVDGBDqHMuwQ Oz+7X1wMSAsCCLUPlaX+VPDPnDeG5cS+gNOUd8Bcyxn2eP0q8XVwAukR9StA14K4PJi4 9UBvrzCRtnuIe9OgFDZJt/sC0bEKCEUVYblvQVJNfyWmQDRUIyC3zjCPr0lPySh9IPWr dox5OvziyJaeWkXRmamS4GyE0d3QE64bkrsuGTqMD1SSm6qTaIq/4mOGR/7qtpDHSI0F at6hlDhrkQgEXyAcUjcB6ZbKqtvWyFgo9BzVpeiKmFrFjkfNd/SSF5a2hVkuYj1XjSG2 FBuA==
X-Gm-Message-State: AOAM530empYmXRVc97ULGEeROOaOmcmAWzJnrpNGYo1ugQfYyVabmmcR qhHBftm9nzYJa4BGxa49QpmC1jGdGxK83XsNCHuWxQ==
X-Google-Smtp-Source: ABdhPJzMifB5RVCwmFUUSNSjxRgDusN5nV65vjKacGt2jtVRbUoUukxClAq6UhxW88uFbX7+Fg5Amilmd+ljPLDJbd8=
X-Received: by 2002:a05:6512:2288:: with SMTP id f8mr4134987lfu.517.1618609361179; Fri, 16 Apr 2021 14:42:41 -0700 (PDT)
MIME-Version: 1.0
References: <BL0PR05MB5316991D4124AD85BC69392AAE709@BL0PR05MB5316.namprd05.prod.outlook.com> <1697a0f8-b3cd-9f7d-d610-305b5305c9a1@gmail.com> <4077E736-0092-44C6-80D1-E094F468C00C@gmail.com> <12878114-5c26-86f9-89c3-bcfa10141684@gmail.com> <CALx6S35NBfVJmjqVwhNV3nui2avUOXn6ySMG3cxx2AvGkwr_Ow@mail.gmail.com> <08A6C3D2-A81C-413A-81B3-EFAAA9DBCCE5@cisco.com> <5b68beb6-a6f9-828b-5cca-9c5ec2bfbea7@foobar.org> <126B0A5E-B421-4B1F-AAEB-ABD48FFA4289@cisco.com> <CALx6S35yxqAqWJVhav-=+TB2ZyYttAFfsLNs6Btt+QUx__aQ1w@mail.gmail.com> <9b22cfe4-22eb-3977-2d25-79eb61370291@gmail.com> <17DC585D-3378-42BF-8CD0-67676BF0CFD3@gmail.com>
In-Reply-To: <17DC585D-3378-42BF-8CD0-67676BF0CFD3@gmail.com>
From: Robert Raszuk <robert@raszuk.net>
Date: Fri, 16 Apr 2021 23:42:30 +0200
Message-ID: <CAOj+MMG2wy-ag=O7vQO+GkoW+OcAr6CN38vsMU9X0bh=LhF2wA@mail.gmail.com>
Subject: Re: Limited Domains:
To: Stewart Bryant <stewart.bryant@gmail.com>
Cc: Brian E Carpenter <brian.e.carpenter@gmail.com>, "6man@ietf.org" <6man@ietf.org>, "draft-filsfils-6man-structured-flow-label@ietf.org" <draft-filsfils-6man-structured-flow-label@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000000e94205c01ddc30"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/LCpBdgRpNChhqtvchSW8nOE5pkk>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Apr 2021 21:42:50 -0000

I think this this thread nicely demonstrates that we need to first define
what a "limited domain" is.

To some it seems to be 1980s definition of an IGP network boundary. More
modern folks would consider as "limited domain" a set of IGP ASNs areas
interconnected by p2p BGP still under the same administration.

For me "limited domain" is an arbitrary collection of sites anywhere in the
world using Internet for inter-connectivity.

So any protocol which claims to be defined for "limited domain" and which
claims that it is backwards compatible with nodes not supporting it is
equal to allow it to traverse Internet.

As simple as this.

Cheers,
Robert.




On Wed, Apr 14, 2021 at 12:36 PM Stewart Bryant <stewart.bryant@gmail.com>
wrote:

> As far as I can see the only safe limited domain protocol is one
> specifically designed for use in limited domains.
>
> Any other approach leads to confusion, mistakes, security threats,
> complexity and cost.
>
> Thus declaring that an “ordinary” IPv6 packet can simultaneously have both
> global and limited scope has the potential for creating significant issues
> for those wishing to use basic IPv6 in a limited domain.
>
> We have an example of an IETF limited domain protocol: MPLS. This has a
> very simple lightweight data plane security model: it is a different
> protocol from IP and if it is presented with an IP packet at its edge, it
> simple wraps it in MPLS and sends it safely on its way across the network
> for export Into some other network. Operators have a lot of experience with
> this protocol and we know that the model that MPLS is not IP results in
> complete confidence that the network will not confuse the two.
>
> Equally we know of cases where IP is vulnerable to attack because it is so
> difficult to exclude packets. This was at the heart of the reason that
> source routing, was deprecated some years ago.
>
> Now I am not for a moment suggesting that the limited domain applications
> that the flow-label authors have in mind should be done in MPLS, but I am
> suggesting that if they want a limited domain protocol with properties
> different from IPv6, and there is no obvious way to unambiguously indicate
> the new functionality in basic IPv6, they ought to design a protocol with
> the properties that they require that is not IPv6.
>
> I am reminded in this discussion of the a time when another SDO wanted to
> make a “small” incompatible change to MPLS and argued that as this was only
> deployed in a limited domain that was safe.The IETF position was that
> incompatible and unrecognisable modification to one of our network
> protocols was a bad thing. A protracted high profile argument ensued and in
> the end  the IETF view won the day.
>
> This protracted discussion on flow labels seems to be in a similar mould,
> and I would argue that we should not accept a change to the forwarding
> actions on an IPv6 packet unless it is possible for the forwarder to know
> precisely and unambiguously  which action it is to take on the packet is is
> currently parsing.
>
> - Stewart
>
>

v2.23.0 | Report a Bug | By Email