Questions regarding the security mechanisms//RE: CRH and RH0

["Xiejingrong (Jingrong)" <xiejingrong@huawei.com>]

Hi Ron and authors,
I haven't found much change about the security mechanisms in the latest revision of this draft. 
So here are some questions I have so far on this aspect (based on the rev-18):

9.  Security Considerations

   Networks that process the CRH MUST NOT accept packets containing the
   CRH from untrusted sources.  Their border routers SHOULD discard
   packets that satisfy the following criteria:

   o  The packet contains a CRH

   o  The Segments Left field in the CRH has a value greater than 0

   o  The Destination Address field in the IPv6 header represents an
      interface that resides inside of the network.

   Many border routers cannot filter packets based upon the Segments
   Left value.  These border routers MAY discard packets that satisfy
   the following criteria:

   o  The packet contains a CRH

   o  The Destination Address field in the IPv6 header represents an
      interface that resides inside of the network.

[Q1] Do the words 'SHOULD' and 'MAY' mean the protection for boundary is optional? Or there is no "limited domain" boundary for the CRH ?
    If this is optional, Is it possible for a packet to be constructed and sent from internet such that it will oscillate between two CRH routers many times ?

[Q2] Does the word 'MAY' mean a router cannot filter packets based upon the SL value, but may filter packets contains a CRH ?
    Judging a packets contains a CRH means judging a packet contains a RH and "Routing Type" field == 5/6;
    Judging a packet whether the SL is greater than 0 means judging a packet contains a RH and "SL" field !=0;
    I failed to see why a router could do the first one but couldn't do the second one.
    Besides, could the above two judgements be executed on a border router if there is a HBH before the RH ?

[Q3] How to judge the "DA represents an interface that resides inside of the network"? suppose the following diagram:
    [Internet--------BorderRouter------CRHrouter1------intermediateRouters------CRHrouter2]
    A packet (SA=internet, DA=CRHrouter1) (CRH SL=1, SID[0]=CRHrouter2, SID[1]=CRHrouter1) is received by BorderRouter.
    In this case, the DA = CRHrouter1 means "an interface that resides inside of the network" ?
    If there are 1000 routers say CRHrouter1/2/.../1000, will you consider to use an IPv6 address block (like 5.1 of RFC8754) for this judgement ?

Best Regards
Jingrong


-----Original Message-----
From: ipv6 [mailto:ipv6-bounces@ietf.org] On Behalf Of Ron Bonica
Sent: Thursday, May 14, 2020 2:28 AM
To: Bob Hinden <bob.hinden@gmail.com>; Darren Dukes (ddukes) <ddukes=40cisco.com@dmarc.ietf.org>
Cc: 6man <6man@ietf.org>
Subject: RE: CRH and RH0

Bob,

I just posted version 16:

- tracker: https://datatracker.ietf.org/doc/draft-bonica-6man-comp-rtg-hdr/
- diff: https://www.ietf.org/rfcdiff?url2=draft-bonica-6man-comp-rtg-hdr-16

It removes all references to RH0 and is more explicit about operating inside of a network domain for security reasons.

I still see a use case for the 32-bit SID, so I left that in the draft.

                                                                    Ron


Juniper Business Use Only

-----Original Message-----
From: Bob Hinden <bob.hinden@gmail.com> 
Sent: Wednesday, May 13, 2020 1:29 PM
To: Darren Dukes (ddukes) <ddukes=40cisco.com@dmarc.ietf.org>
Cc: Bob Hinden <bob.hinden@gmail.com>; Ron Bonica <rbonica@juniper.net>; 6man <6man@ietf.org>
Subject: Re: CRH and RH0

Hi,

> On May 13, 2020, at 10:16 AM, Darren Dukes (ddukes) <ddukes=40cisco.com@dmarc.ietf.org> wrote:
> 
> Hi Ron,
> 
> I'm still trying to figure out where you're going with this.
> First it was SRm6, then an RH0 replacement, then not an RH0 replacement (in the 6man meeting), then it sort of is...
> 
> So I'm hoping you'll update the draft so I can understand a bit more:
> - CRH has nothing to do with RH0.
> - CRH operates only within a limited domain.

I think these are reasonable suggestions.

I also think only having one size would be helpful.

Bob


> 
> Anything else to clarify from others comments would help too.
> 
> Thanks
>   Darren
> 
>> On May 12, 2020, at 5:36 PM, Ron Bonica <rbonica@juniper.net> wrote:
>> 
>> Ole, Darren,
>> 
>> The CRH is a general purpose Routing header that operates inside of a network domain. In the sense that it is a general purpose routing header, it replaces RH0. In the sense that it is restricted to a network domain, it does not replace RH0.
>> 
>> If adding these two sentences will cause you to support the draft, or at least not object to it, I will happily add them!
>> 
>> Are these the only objections?
>> 
>>                                                                                    Ron
>> 
>> 
>> 
>> Juniper Business Use Only
>> 
>> -----Original Message-----
>> From: otroan@employees.org <otroan@employees.org>
>> Sent: Tuesday, May 12, 2020 4:38 PM
>> To: Ron Bonica <rbonica@juniper.net>
>> Cc: Darren Dukes (ddukes) <ddukes@cisco.com>; 6man <6man@ietf.org>
>> Subject: Re: CRH and RH0
>> 
>> [External Email. Be cautious of content]
>> 
>> 
>> Hi Ron,
>> 
>> 
>>> The answer to your question is a bit nuanced. My goals were to build a general purpose routing header that overcomes the RH0's limitations. Those being:
>>> 
>>>      - Its size
>>>      - Its security issues
>>> 
>>> Now, is that a replacement for RH0? In one way, yes. RH0 and CRH are both general purpose routing headers. In another sense, no. RH0 is meant to traverse network boundaries. But RFC 5095 taught us that letting routing header traverse network boundaries might not be a wonderful idea. So, CRH is restricted to a network domain.
>> 
>> If CRH could be a RH0 replacement, you would have to show how the tag distribution mechanism would work across the Internet?
>> RH0 was supported in every IPv6 node, given the requirement for a tag->IPv6 address (or is it forwarding method) mapping, I can't quite see how that would be done in a general enough fashion for CRH?
>> 
>> I don't think RFC5095 taught us that source routing cannot be done across the Internet.
>> In fact I don't see how the CRH draft prevents the RFC5095 attack to happen inside of the CRH limited domain.
>> Just send a packet with a list of tag#0, tag#1, tag#0, tag#1 and you have the same amplification attack.
>> 
>>> And now I return to my original question. When engineering students read the CRH RFC in 25 years, will they really care what my motivation was? Why should we burden them with this detail?
>> 
>> To the contrary. Take the motivations and intentions behind IPv6. We have spent thousands of emails trying to decode what the original intensions with EHs and their limitations were, why the minimum MTU was 1280, recently I saw a thread about the reasons for why TTL/HL and protocol/next header was swapped between v4 and v6. If your protocol is successful, the original napkin it was designed on will become legend. ;-)
>> 
>> Best regards,
>> Ole
> 
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------

--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------