IETF Logo Mail Archive

RE: IPv6 header insertion in a controlled domain

Ron Bonica <rbonica@juniper.net> Mon, 09 December 2019 22:38 UTC

Return-Path: <rbonica@juniper.net>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB643120086 for <ipv6@ietfa.amsl.com>; Mon, 9 Dec 2019 14:38:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net header.b=l4QcW/LV; dkim=pass (1024-bit key) header.d=juniper.net header.b=YLsCcxSo
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FMYHGaSgt4iM for <ipv6@ietfa.amsl.com>; Mon, 9 Dec 2019 14:38:39 -0800 (PST)
Received: from mx0a-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 037AB120059 for <ipv6@ietf.org>; Mon, 9 Dec 2019 14:38:38 -0800 (PST)
Received: from pps.filterd (m0108159.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xB9MbbF2004678; Mon, 9 Dec 2019 14:38:36 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=PPS1017; bh=XmOzt7+nuK9NHPMmiUfIbuDOlPoWwkeuUT8hdeRis2Y=; b=l4QcW/LVWSj+lA8Hm2OIBMsJVHox9ZdocS18Wdtdm+OF/3PtxtTekpyG6D1Picr/o9ta P6yzKyVKVQOpLwCO5d39EEnojkE1Vcow7W5B1JlwaUE5vMR4uRdy1IZmvdqZuULr9RZe AFQTic1X35yc+7eE5WDzGCA2AJD8E7zwisXnif289KaLZIjd6wZmfAzzF5NuRIBkcr/B uxj0lJ37pCe09qJrgr9jaaKFoQFX/QwjOftRCfxZFJIU8Nxemt29D7KPQ2QAcv+EKqCz XNUIx+xPZN6GUcG56PS3+X8APjesM+OVgSHLGR90OlMPYH3XOykPhF63I4UOqzbkpMQi BA==
Received: from nam11-bn8-obe.outbound.protection.outlook.com (mail-bn8nam11lp2171.outbound.protection.outlook.com [104.47.58.171]) by mx0a-00273201.pphosted.com with ESMTP id 2wrawy3mr3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Mon, 09 Dec 2019 14:38:35 -0800
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XAjJKYaaFvV8j9oqnQSnUOFsvWfV12gR2bhI4A4vrEu9Ap/DQPX6Hg//vG2ln6lQIo9z7juPFAkrPBEAvCdd9FvcKqL/GWiMRVrIp+AKmEGzt6C2TrnHDf1lV1BApIJIa6dP4U7k58HexlF9vQndkRVsP08f3FMuWvPMwxBfnG3WQBn3SDIwHlHyjXDgFRTZ05VKG71csUyUbGAiuDfDG6f1GskvJTsYUVdIYOvUlgi1NcrN9ZX/Gk3obCXM5jW5GhB2E1s0/uc1Tr0JpuP3PfyaEmRrokdnKKZfpkoUedbaV0t/MGWVqB8MryJl0OKNRIaXjHhktCW2Q549+9V+Jw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=XmOzt7+nuK9NHPMmiUfIbuDOlPoWwkeuUT8hdeRis2Y=; b=Yz97DvySiNaZp8Urf4UHkBTIVLwai10KpMshYY/c6aw9z2wSMEPsEThSynrd0RKQSsVO5V9lwfTDWXksNKwkWRIC1YPbWA8e7Y2c9IMX15tFN/azPEd7ZPsoaxTV6I0ShqBW5Nj4ELL2Xtd+YZTkvCVSlp6Xkid0wmJtqbxML7bkelvLxzApuuK+ie3wAAP+xhfFioEPw9vR2S+8G/qqjHG/Lzmqxsy5jndmSfJOHwDKpOyIivS2BskdEh9j2WMrSyz5lkT04UltMn96kYZCtym00+QnBFfgF5fZaDVEiXSK0HUSKmLYDBpd71tkd/34EU+A06ETUnjuVuRglqe5ow==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=juniper.net; dmarc=pass action=none header.from=juniper.net; dkim=pass header.d=juniper.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=XmOzt7+nuK9NHPMmiUfIbuDOlPoWwkeuUT8hdeRis2Y=; b=YLsCcxSoB3QWEV37FfX17aoDT2Bz081AMMKBcyCNmph77IwkCQtacLqg1x4m0/EApW/3Ldvfy0dtZMf608MgxezlgenXc3YFumyO2xhAk10Q7twQvBmq2rmkQrHnS2FwNizdw51t0SeqV6uC3dqVcRkSs5tx8H9qg717SC3N7xA=
Received: from BN7PR05MB5699.namprd05.prod.outlook.com (20.176.28.88) by BN7PR05MB4065.namprd05.prod.outlook.com (52.132.6.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2538.13; Mon, 9 Dec 2019 22:38:34 +0000
Received: from BN7PR05MB5699.namprd05.prod.outlook.com ([fe80::185e:d297:6499:4987]) by BN7PR05MB5699.namprd05.prod.outlook.com ([fe80::185e:d297:6499:4987%7]) with mapi id 15.20.2516.003; Mon, 9 Dec 2019 22:38:34 +0000
From: Ron Bonica <rbonica@juniper.net>
To: "otroan@employees.org" <otroan@employees.org>
CC: Sander Steffann <sander@steffann.nl>, 6man WG <ipv6@ietf.org>
Subject: RE: IPv6 header insertion in a controlled domain
Thread-Topic: IPv6 header insertion in a controlled domain
Thread-Index: AQHVrall5CtMz008y0qdWVSa9J0j7aewW++AgAAK44CAAANjAIAAAkuAgAANoICAAAJuAIAADDUAgACP8OCAAEMbgIAAfaQwgAAGEgCAAIdu0A==
Content-Class:
Date: Mon, 09 Dec 2019 22:38:33 +0000
Message-ID: <BN7PR05MB5699D718910309436CC52130AE580@BN7PR05MB5699.namprd05.prod.outlook.com>
References: <BN7PR05MB5699F86F6DF1F224DF4A6E32AE580@BN7PR05MB5699.namprd05.prod.outlook.com> <C27A0E92-AF13-477B-9A22-DAB05494DE61@steffann.nl> <BN7PR05MB569952E6B42D62D8AF8F7AD2AE580@BN7PR05MB5699.namprd05.prod.outlook.com> <7B56011B-F95E-4F6D-ACD7-E6A342F33DDE@employees.org>
In-Reply-To: <7B56011B-F95E-4F6D-ACD7-E6A342F33DDE@employees.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Enabled=True; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SiteId=bea78b3c-4cdb-4130-854a-1d193232e5f4; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Owner=rbonica@juniper.net; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SetDate=2019-12-09T22:38:32.0398343Z; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Name=Juniper Business Use Only; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Application=Microsoft Azure Information Protection; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_ActionId=d0103c20-fb7c-4062-bda0-ef60a30120df; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Extended_MSFT_Method=Automatic
dlp-product: dlpe-windows
dlp-version: 11.3.2.8
dlp-reaction: no-action
x-originating-ip: [66.129.242.15]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 93101150-8351-4261-ad50-08d77cf88630
x-ms-traffictypediagnostic: BN7PR05MB4065:
x-microsoft-antispam-prvs: <BN7PR05MB4065C49353643785C8846A44AE580@BN7PR05MB4065.namprd05.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:6790;
x-forefront-prvs: 02462830BE
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39860400002)(366004)(136003)(396003)(376002)(346002)(199004)(13464003)(189003)(6506007)(71200400001)(55016002)(71190400001)(33656002)(316002)(7696005)(4744005)(478600001)(53546011)(4326008)(86362001)(9686003)(5660300002)(2906002)(305945005)(6916009)(66476007)(64756008)(66446008)(66556008)(66946007)(76116006)(54906003)(8676002)(1730700003)(81156014)(81166006)(5640700003)(52536014)(186003)(26005)(8936002)(229853002); DIR:OUT; SFP:1102; SCL:1; SRVR:BN7PR05MB4065; H:BN7PR05MB5699.namprd05.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: VDnXRsL2GLlkX78X9Wnd238LM/D57MOAEEvQ1NH+rJF2UMl2WZsPJwwCvR5mKKiRb1zzkuPGgwqLFHoukD3fORumgyI65SE1pdZb/osWJ63Fv5lf2bHV5H9iJ5SMtTZIwJvyfzSPR8PBObHsYAw6NJKv8TgoO5p7/p6UYBkfDNK2SLoRS6muFbJJh810cKtctmIi1AW/gY7ANdsE0FnDl3QXLAURX8kjACuO/HNQa9l1r66M2pgf+an0DVEGejXZVuwPmUGCtJja6MLTm4MXAwxVmOJPxPPx9bA2DU3vt3+x91pdcGNAe1gvc1ph/qRWjt28o9OjUtprBe1LaXTH41z87krlsWQ6yVEw5u0xHzfAMvCRGnyGsBaXD9+Wop8K8QuWX6/fvthdHZSPupNqljw8eCmR+xipb3XZ56dshcORYig3oPUBMY61FtEYevZ/2i80Jtx60KJUELdsDN0zld7r+h5nJ/sx2iE/mk/ZIM3ePm9CXK+hIyaO2bUMMOts
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: 93101150-8351-4261-ad50-08d77cf88630
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Dec 2019 22:38:33.9616 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: nu9rt8rsQqZdgHxhkNxD/C7U5i1aZg8/Rltf1JVS+pWqlicWhMoFdGGwPzi/EYL+3DtII0iTKhDixAo0oDHnuw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN7PR05MB4065
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95,18.0.572 definitions=2019-12-09_05:2019-12-09,2019-12-09 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 mlxscore=0 suspectscore=0 clxscore=1015 impostorscore=0 adultscore=0 bulkscore=0 malwarescore=0 lowpriorityscore=0 spamscore=0 mlxlogscore=999 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-1912090178
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/RBnzIrK3s8zBjwsc3CQT3506RpY>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Dec 2019 22:38:41 -0000

Ole,

If the Routing header is inserted by one transit node and not removed before it reaches its ultimate destination, authentication will fail. Won't it?

                                           Ron



Juniper Business Use Only

-----Original Message-----
From: otroan@employees.org <otroan@employees.org> 
Sent: Monday, December 9, 2019 9:32 AM
To: Ron Bonica <rbonica@juniper.net>
Cc: Sander Steffann <sander@steffann.nl>; 6man WG <ipv6@ietf.org>
Subject: Re: IPv6 header insertion in a controlled domain

Ron,

> I believe that the second does apply.

That's not at all obvious to me.
Elaborate please.

Cheers,
Ole

> Juniper Business Use Only
> 
> -----Original Message-----
> From: Sander Steffann <sander@steffann.nl> 
> Sent: Monday, December 9, 2019 1:41 AM
> To: Ron Bonica <rbonica@juniper.net>
> Cc: Ole Troan <otroan@employees.org>; 6man WG <ipv6@ietf.org>
> Subject: Re: IPv6 header insertion in a controlled domain
> 
> Hi Ron,
> 
>> See Section 7.5 of .....
> 
> Not choosing to use AH to protect the SRH is one thing, but not supporting an AH in the existing packet when doing header insertion is quite another. I want to be sure the second doesn't apply.
> 
> Cheers
> Sander
>

v2.23.0 | Report a Bug | By Email