IETF Logo Mail Archive

Re: 6man w.g. last call for <draft-ietf-6man-segment-routing-header-19.txt>

"Joel M. Halpern" <jmh@joelhalpern.com> Wed, 05 June 2019 18:05 UTC

Return-Path: <jmh@joelhalpern.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F1DC120203 for <ipv6@ietfa.amsl.com>; Wed, 5 Jun 2019 11:05:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=joelhalpern.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 72gX6a4y049D for <ipv6@ietfa.amsl.com>; Wed, 5 Jun 2019 11:05:06 -0700 (PDT)
Received: from maila2.tigertech.net (maila2.tigertech.net [208.80.4.152]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A8E6F12021C for <ipv6@ietf.org>; Wed, 5 Jun 2019 11:05:06 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by maila2.tigertech.net (Postfix) with ESMTP id 45JxXL2px7z1psNm; Wed, 5 Jun 2019 11:05:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=joelhalpern.com; s=2.tigertech; t=1559757906; bh=A6XRHYdu3Vc++qq0kw6fL5Jcn4AoTzoUqksomxir3/w=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=ah5XkC/jqgqJ5blG/iirIYyi5Pd/cwEPbg0GIya2GWVglPQBRI93dUm+izp33YPB+ srw51W2T4LQWTR6TbVmCTtxTswJ7DAxaWDb2P2CgRVFfdvYir4IHdCjFi/n9FuLvVo nz2F/4hSg3bK1+EKPrm/P/iLvkHb09XDWSYqgvbQ=
X-Virus-Scanned: Debian amavisd-new at maila2.tigertech.net
Received: from Joels-MacBook-Pro.local (209-255-163-147.ip.mcleodusa.net [209.255.163.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by maila2.tigertech.net (Postfix) with ESMTPSA id 45JxXK4S0VzKvsy; Wed, 5 Jun 2019 11:05:05 -0700 (PDT)
Subject: Re: 6man w.g. last call for <draft-ietf-6man-segment-routing-header-19.txt>
To: "Darren Dukes (ddukes)" <ddukes@cisco.com>
Cc: IPv6 List <ipv6@ietf.org>
References: <20160428004904.25189.43047.idtracker@ietfa.amsl.com> <588C586F-C303-418E-8D26-477C4B37CF92@gmail.com> <C7C2E1C43D652C4E9E49FE7517C236CB0260698D@dggeml529-mbx.china.huawei.com> <E5ED231C-2592-4D5F-9FA5-CA3D97994BE8@cisco.com> <C7C2E1C43D652C4E9E49FE7517C236CB0260A5F8@dggeml529-mbx.china.huawei.com> <CALx6S34fzjWOrLGaz=VnSRAq-zYDZAEy_f51UJCs8ginTffp=w@mail.gmail.com> <e0fd66d4-1b52-1ae0-d698-6ec780078ea3@joelhalpern.com> <B96F5BF4-163C-4910-9E3C-30BF97529899@cisco.com> <f3b21bf3-9325-b1fb-9755-768c4167398a@joelhalpern.com> <01800042-BAA0-46BC-ABC5-5F0817356F69@cisco.com>
From: "Joel M. Halpern" <jmh@joelhalpern.com>
Message-ID: <dc4c21cd-131b-e05f-02c1-e5c72773b95a@joelhalpern.com>
Date: Wed, 05 Jun 2019 14:05:04 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.7.0
MIME-Version: 1.0
In-Reply-To: <01800042-BAA0-46BC-ABC5-5F0817356F69@cisco.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/LhbmtyDahQNJr2k2xR2-Py2fCJc>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Jun 2019 18:05:09 -0000

By the way, I assume you do not actually mean "sender" by source.  The 
use cases you describe often have the knowledge at the controller, not 
the sender.  So the source is the source of the SRH, but not the soure 
of the packet.
Yours,
Joel

On 6/5/19 1:01 PM, Darren Dukes (ddukes) wrote:
> Joel the answer is simple and the same as usual.  The SR Source ALWAYS knows how to steer a packet in the SR Domain.
> 
> The SR Source (or a path compute node) would never add segments to a segment list in an order it knows cannot work.
> 
> Darren
> 
> 
>> On Jun 5, 2019, at 12:48 PM, Joel M. Halpern <jmh@joelhalpern.com> wrote:
>>
>> Your response on the HMAC validation implies that someone on the far side of a SDI that modifies the SID list (e.g. a binding SID) would somehow know not to try to validate the HMAC?  Or would the Binding SID process be requried to remove the HAMC TLV?  Or?
>>
>> Treating this as something can be deferred until a future SID is defined that changes SID lists is at best disingenuous.  These behaviors have implications for devices which try to support what is here, even if they are not upgraded to support new functionality.  For example, in the above, a device on the far side of a binding SID does not itself need to know anything about binding SIDs.  But it apparently needs to know something to decide whether it can verify the HMAC>  And no, local policy is not a good enough hook since this obviously depends upon the particular SID sequence the packet has gone through, not on the role of the device.
>>
>> Yours,
>> Joel
>>
>> On 6/5/19 12:41 PM, Darren Dukes (ddukes) wrote:
>>> Hi Joel, there is no definition of a "binding SID" that modifies a Segment list.
>>> However it is obvious if I intend to modify a segment list within an SR Domain, AND I want to verify that segment list via an HMAC TLV, I would certainly do the verification before my modification.
>>> Darren
>>>> On Jun 5, 2019, at 11:13 AM, Joel M. Halpern <jmh@joelhalpern.com> wrote:
>>>>
>>>> Apparently I am just dense.
>>>> If we intend to permit the SID list to change along the way (for example with binding SIDs) then how does the HMAC TLV work?  The TLV is supposed to be verifiable along the path.  But the SID list is different before and after the binding SID.  So the same HMAC can not protect the two SID lists.
>>>>
>>>> Do we want to restrict the HMAC TLV to be only processed by the first router on the path?  Do we want to declare that the HMAC can not be used with any behavior that modifies the SID list?
>>>>
>>>> I guess I can take the view that folks are never going to implement the HMAC, as it is so loosely specified.  But if I expect it to work, we need some clarity on behavior.
>>>>
>>>> And that is putting aside the question of whether one wants to see AH usable with SRH.  With the mutability as currently specified, AH will have to ignore the SRH.  Which is okay if we and the security community agree.
>>>>
>>>> Yours,
>>>> Joel
>>>>
>>>> On 6/5/19 11:05 AM, Tom Herbert wrote:
>>>>> On Wed, Jun 5, 2019 at 1:21 AM Chengli (Cheng Li) <chengli13@huawei.com> wrote:
>>>>>>
>>>>>> Hi Darren,
>>>>>>
>>>>>>
>>>>>>
>>>>>> Thanks for your reply. It seems like reasonable to pre-allocate space for IOAM. Also, PBT[1] based Telemetry can avoid this problem.
>>>>>>
>>>>>>
>>>>>>
>>>>>> However, in Stateless SFC[2], the NSH TLV can be included in SRH to carry metadata. The length of metadata may be mutable and hard to be pre-computed when the MD type is 2.
>>>>>>
>>>>>> Maybe we still can pre-allocate enough space for this scenarios, but I still think we should make HDR as mutable.
>>>>>>
>>>>>>
>>>>>>
>>>>>> The fields that will not be changed en route will not affect the length of the SRH.
>>>>>>
>>>>>> The mutable fields  will not count when compute ICV, and the changes of them are allowed, so why to limit  the change of length? There is no need to limit the length of these fields, because this does not help on Authentication but brings limitation.
>>>>>>
>>>>>>
>>>>>>
>>>>>> It is a general problem for IOAM and SFC, which need to add metadata into data packets.
>>>>>>
>>>>> Hi Chengli,
>>>>> Please look at https://trac.ietf.org/trac/6man/ticket/69 which
>>>>> describes some of the operational problems of adding/deleting TLVs.
>>>>> There is also an attribution problem.
>>>>> The contents of a packet are attributed to the source which is
>>>>> indicated by the source address. Fundamentally, the source of the
>>>>> packet owns the bits and is responsible for the content. If an
>>>>> intermediate node sets alternative content in a packet then at the
>>>>> destination that content is attributed to the source. This content may
>>>>> not conform to host policy, or for that matter might even be illegal,
>>>>> and without any proper paper trail of who set the content, the source
>>>>> is held accountable.
>>>>> So the source requires fine grained control over what the network is
>>>>> allowed to change, and authentication is means to enforce that
>>>>> intermediate nodes only change the packet in permissible ways. If a
>>>>> network node wants to change more than what the source allows, it is
>>>>> free to encapsulate the packet for transit across the network, thus
>>>>> itself becoming the source of the packet and so can set content in the
>>>>> encapsulating headers per a different policy.
>>>>> Tom
>>>>>>
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> Cheng
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> [1] https://tools.ietf.org/html/draft-song-ippm-postcard-based-telemetry-03
>>>>>>
>>>>>> [2] https://tools.ietf.org/html/draft-xuclad-spring-sr-service-programming-02#section-7.2.1
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> -----Original Message-----
>>>>>>
>>>>>> From: Darren Dukes (ddukes) [mailto:ddukes@cisco.com]
>>>>>>
>>>>>> Sent: Tuesday, May 28, 2019 1:22 AM
>>>>>>
>>>>>> To: Chengli (Cheng Li) <chengli13@huawei.com>
>>>>>>
>>>>>> Cc: Bob Hinden <bob.hinden@gmail.com>; IPv6 List <ipv6@ietf.org>
>>>>>>
>>>>>> Subject: Re: 6man w.g. last call for <draft-ietf-6man-segment-routing-header-19.txt>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Hi Cheng, thanks for the support, I have a couple comments inline.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> On May 27, 2019, at 8:41 AM, Chengli (Cheng Li) <chengli13@huawei.com> wrote:
>>>>>>
>>>>>>>
>>>>>>
>>>>>>> Support. Many thanks to authors for their contributions! I agree that we should specify how the AH works with SRH in other drafts.
>>>>>>
>>>>>>>
>>>>>>
>>>>>>> But I can NOT find any text of describing Hdr Ext Len is not mutable in RFC8200.
>>>>>>
>>>>>>> Hdr Ext Len SHOULD be mutable, otherwise, use cases like incremental SRv6 IOAM[1] can not work.
>>>>>>
>>>>>>
>>>>>>
>>>>>> draft-ali-6man-spring-srv6-oam-01 actually reserves TLV at an SR Source node for use by segment endpoint nodes, so it doesn’t change the size of TLVs (see 4.4.2.1 and 4.4.2.2 of that draft).
>>>>>>
>>>>>>
>>>>>>
>>>>>>> All the use cases of inserting or deleting new TLV, or updating TLV with new length value are not allowed if Hdr Ext Len is not mutable.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Use cases you’re thinking of should be able to use a method similar to that in draft-ali-6man-spring-srv6-oam, I would be interested to hear about them.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>>    Darren
>>>>>>
>>>>>>
>>>>>>
>>>>>>>
>>>>>>
>>>>>>> I think it is a limitation to SRv6 that we should avoid it definitely.
>>>>>>
>>>>>>>
>>>>>>
>>>>>>>
>>>>>>
>>>>>>> Best Regards,
>>>>>>
>>>>>>> Cheng
>>>>>>
>>>>>>>
>>>>>>
>>>>>>> [1]. https://tools.ietf.org/html/draft-ali-6man-spring-srv6-oam-01#section-4.4.1
>>>>>>
>>>>>>>
>>>>>>
>>>>>>> -----Original Message-----
>>>>>>
>>>>>>> From: ipv6 [mailto:ipv6-bounces@ietf.org] On Behalf Of Bob Hinden
>>>>>>
>>>>>>> Sent: Wednesday, May 22, 2019 9:40 PM
>>>>>>
>>>>>>> To: IPv6 List <ipv6@ietf.org>
>>>>>>
>>>>>>> Cc: Bob Hinden <bob.hinden@gmail.com>
>>>>>>
>>>>>>> Subject: 6man w.g. last call for <draft-ietf-6man-segment-routing-header-19.txt>
>>>>>>
>>>>>>>
>>>>>>
>>>>>>> Hello,
>>>>>>
>>>>>>>
>>>>>>
>>>>>>> This message starts a new two week 6MAN Working Group Last Call on advancing:
>>>>>>
>>>>>>>
>>>>>>
>>>>>>>        Title           : IPv6 Segment Routing Header (SRH)
>>>>>>
>>>>>>>        Authors         : Clarence Filsfils
>>>>>>
>>>>>>>                          Darren Dukes
>>>>>>
>>>>>>>                          Stefano Previdi
>>>>>>
>>>>>>>                          John Leddy
>>>>>>
>>>>>>>                          Satoru Matsushima
>>>>>>
>>>>>>>                          Daniel Voyer
>>>>>>
>>>>>>>              Filename        : draft-ietf-6man-segment-routing-header-19.txt
>>>>>>
>>>>>>>              Pages           : 32
>>>>>>
>>>>>>>              Date            : 2019-05-21
>>>>>>
>>>>>>>
>>>>>>
>>>>>>>     https://tools.ietf.org/html/draft-ietf-6man-segment-routing-header
>>>>>>
>>>>>>>
>>>>>>
>>>>>>> as a Proposed Standard.
>>>>>>
>>>>>>>
>>>>>>
>>>>>>> This document was in an extended last call that started in March of 2018.   An issue tracker was set up, and eight new versions of the draft were produced and discussed on the list and at face to face 6man sessions.   All of the issues in the tracker have been closed.  The chairs believe it is ready to advance, but given the number of changes and the time that elapsed, a new w.g. last call is warranted.  Please review the new document.
>>>>>>
>>>>>>>
>>>>>>
>>>>>>> Our thanks to the authors/editors and the working group for the work on this document.
>>>>>>
>>>>>>>
>>>>>>
>>>>>>> Substantive comments and statements of support for publishing this document should be directed to the mailing list. Editorial suggestions can be sent to the author.  This last call will end on 5 June 2019.
>>>>>>
>>>>>>>
>>>>>>
>>>>>>> Thanks,
>>>>>>
>>>>>>> Bob & Ole
>>>>>>
>>>>>>>
>>>>>>
>>>>>>>
>>>>>>
>>>>>>>
>>>>>>
>>>>>>>
>>>>>>
>>>>>>> --------------------------------------------------------------------
>>>>>>
>>>>>>> IETF IPv6 working group mailing list
>>>>>>
>>>>>>> ipv6@ietf.org
>>>>>>
>>>>>>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>>>>>>
>>>>>>> --------------------------------------------------------------------
>>>>>>
>>>>>>>
>>>>>>
>>>>>>> --------------------------------------------------------------------
>>>>>>
>>>>>>> IETF IPv6 working group mailing list
>>>>>>
>>>>>>> ipv6@ietf.org
>>>>>>
>>>>>>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>>>>>>
>>>>>>> --------------------------------------------------------------------
>>>>>>
>>>>>>
>>>>>>
>>>>>> --------------------------------------------------------------------
>>>>>> IETF IPv6 working group mailing list
>>>>>> ipv6@ietf.org
>>>>>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>>>>>> --------------------------------------------------------------------
>>>>> --------------------------------------------------------------------
>>>>> IETF IPv6 working group mailing list
>>>>> ipv6@ietf.org
>>>>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>>>>> --------------------------------------------------------------------
>>>>
>>>> --------------------------------------------------------------------
>>>> IETF IPv6 working group mailing list
>>>> ipv6@ietf.org
>>>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>>>> --------------------------------------------------------------------
>

v2.23.0 | Report a Bug | By Email