Re: Adoption Call for "The IPv6 Compact Routing Header (CRH)"

Brian E Carpenter <brian.e.carpenter@gmail.com> Sat, 16 May 2020 23:37 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7EE6A3A0C0F for <ipv6@ietfa.amsl.com>; Sat, 16 May 2020 16:37:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.198
X-Spam-Level:
X-Spam-Status: No, score=-0.198 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sKAxhlKOPhVb for <ipv6@ietfa.amsl.com>; Sat, 16 May 2020 16:37:43 -0700 (PDT)
Received: from mail-pg1-x532.google.com (mail-pg1-x532.google.com [IPv6:2607:f8b0:4864:20::532]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF9ED3A0C0D for <ipv6@ietf.org>; Sat, 16 May 2020 16:37:42 -0700 (PDT)
Received: by mail-pg1-x532.google.com with SMTP id n11so2869531pgl.9 for <ipv6@ietf.org>; Sat, 16 May 2020 16:37:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=ckA2azj4J5cJwHBAnwuXe9Mx+LklhdqjJrWUMF9EpuQ=; b=cU1ZJhmzRFQY10WZGBhpYCE1K/S5IRb0jBWPkDdUJw//wT64fgWN9AdkRCYXSx48DV SQWl+ypMqqobJwE6FSnhTuFde4pzI0vHxBLYC+sYjBFUah6H3ISivl0/TwZW5c/0IuT2 P2aqaQnE3zruQbAeeTEorLUdSgL5+xads3gHfmX3odjuT73wFbsTJyG/S50wNtuDcitm AosUY0mO6fLg7lvdgYEdhJeGCJMNEl3m8mKfuxyhYk8oAL6tcgb0KPtyW0e3s6Rcw0mP LHOI7LH2Zgt3AOACaSWYVYOD0NXAiIRQSE8HpZIzDuTpxzpqkV8xOnzA7eJjCTenvVZ8 JoMA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=ckA2azj4J5cJwHBAnwuXe9Mx+LklhdqjJrWUMF9EpuQ=; b=Pjzh5sXC9260QZXKWfzsEDy/BlSSZsYJDiJLDyRlHCh07QUGmZjcG+b2H3K0Fs4nER u2oYAdu6wAOJjltIhwTgjTpF9rfd/tfJu1DgKjMMTSHctp+PR8R1c59avr5Y+BMzCz/f yg5Xg7QQoJiCT9/gfrU4oYnRIhi/5Y9oWg83P9BF/TWd5C5JnRQ+t0kzQV9SAb7ihMTw TYS8CN2w/wUdvZHiNFBQ3ErDly4wRyWy6a+iX/ziWB3HpihvAO2uhFcpI3PZOLJke7Bw d8HdzzgRRLDOEJnDRpk5+ATjk/KQ6h6ASAmrTN5thEc8a+9z2+opjoz37td1k5JNbps8 dH3g==
X-Gm-Message-State: AOAM532YrCiDVIZ19VoJ2Q4i16mqu1sQYaCXTLgPbcAlXzyNUwUPfCqW kIJVQZcg3DGfK59nhB6wGjU=
X-Google-Smtp-Source: ABdhPJy0Cdcoo70GGeHqXOidCqVZKgxgmlKk2aK5Vnd33B3x+HV+/t418rzc0hBse0CSF2RQtXtgZw==
X-Received: by 2002:aa7:9345:: with SMTP id 5mr10615642pfn.145.1589672261971; Sat, 16 May 2020 16:37:41 -0700 (PDT)
Received: from [192.168.178.30] ([165.84.12.178]) by smtp.gmail.com with ESMTPSA id p66sm4852654pfb.65.2020.05.16.16.37.38 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 16 May 2020 16:37:41 -0700 (PDT)
Subject: Re: Adoption Call for "The IPv6 Compact Routing Header (CRH)"
To: Mark Smith <markzzzsmith@gmail.com>, "Xiejingrong (Jingrong)" <xiejingrong@huawei.com>
Cc: IPv6 List <ipv6@ietf.org>, Bob Hinden <bob.hinden@gmail.com>
References: <19D30186-B180-4F65-BF00-7AD07CEF3925@gmail.com> <92cff01e5eeb4a1e85357e61c8ca63fd@huawei.com> <CAO42Z2zq4=QS7=NwnYtshf8rOUym+axC-F54ZnJxJs7jM8RP-w@mail.gmail.com> <24b140e4f15a41ceb3de9f91cde35e74@huawei.com> <CAO42Z2wUoQoWaLAemOpNUJXNBJbTMT2wyDsWvgk91Bj8bB8k-A@mail.gmail.com>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Message-ID: <7291c5c7-cb3b-6e42-46fb-0b2ec2c17252@gmail.com>
Date: Sun, 17 May 2020 11:37:37 +1200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.9.1
MIME-Version: 1.0
In-Reply-To: <CAO42Z2wUoQoWaLAemOpNUJXNBJbTMT2wyDsWvgk91Bj8bB8k-A@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/SeWzTc0kTG9RvhGCaaBCMc6Kyg4>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 May 2020 23:37:44 -0000

Another thing is that ULAs work. People seem to be scared of them for some reason, but they just work straight out of the box. As many /48s as you want, for free, in parallel with whatever you got from IANA.

Choosing ULAs for the ANIMA autonomic control plane was a no-brainer, for all the reasons Mark gives, plus the benefit that the prefix itself can be auto-generated if wanted. Since we will surely need more and more automated configuration with these increasingly complex technologies, I think that a prefix capable of automatic generation is a strategic choice. Why would we want to configure 48 bit numbers by hand?

Regards,
   Brian

On 17-May-20 11:09, Mark Smith wrote:
> Hi Jingrong,
> 
> On Sat, 16 May 2020, 18:18 Xiejingrong (Jingrong), <xiejingrong@huawei.com <mailto:xiejingrong@huawei.com>> wrote:
> 
>     Hi Mark____
> 
>     Thanks for the introduction of RFC4193.____
> 
>     The RFC8754 boundary security mechanism is still unique IMO. ____
> 
>     The IPv6 ULA is just a candidate element of the mechanism, instead of the mechanism itself.
> 
> 
> So the ULA address space inherently has a lot of the security properties of the measures described in RFC8754, and that is by design.
> 
> If packets with ULA DAs leak because of a default route pointing out of the local network, they'll be dropped by the first default free Internet router they encounter.
> 
> By default, the ULA prefix of fc00::/7 and longer are not supposed to be advertised to or accepted by external networks, unless there is an agreement to route their ULA /48s between them, so interdomain routing of ULAs is not the default, unlike IPv6 public GUA addresses.
> 
> Packets that leak with a ULA source addresses will be caught by an upstream BCP38 source address filter.
> 
> ACLs should be used with ULA address spaces, however they only add to the existing inherent ULA security properties. ACLs used with global IPv6 addresses would be the only security measure, making the ACL mechanism/enforcement a single point of failure.
> 
> A lot of things have to go wrong for a packet that leaks with a ULA source or destination address to cause a negative effect on an external node. If that is still a concern, AH could be used so the packet fails authentication when it arrives at the external node, or ESP could be used so the payload looks like a bunch of random bits.
> 
> The intended forwarding and reachability domain for a network 's ULA prefix is the local network only, in contrast to global IPv6 GUA addresses where the forwarding and reachability domain is anywhere on the Internet.
> 
> So the ULA address space is a natural fit for traffic that is intended to be constrained to the local network, such as this case for the local network imposed tunnelling encapsulation to add information via the CRH.
> 
> Regards,
> Mark.
> 
>     ____
> 
>     __ __
> 
>     Thanks____
> 
>     Jingrong____
> 
>     __ __
> 
>     *From:*Mark Smith [mailto:markzzzsmith@gmail.com <mailto:markzzzsmith@gmail.com>]
>     *Sent:* Saturday, May 16, 2020 11:05 AM
>     *To:* Xiejingrong (Jingrong) <xiejingrong@huawei.com <mailto:xiejingrong@huawei.com>>
>     *Cc:* Bob Hinden <bob.hinden@gmail.com <mailto:bob.hinden@gmail.com>>; IPv6 List <ipv6@ietf.org <mailto:ipv6@ietf.org>>
>     *Subject:* Re: Adoption Call for "The IPv6 Compact Routing Header (CRH)"____
> 
>     __ __
> 
>     __ __
> 
>     On Sat, 16 May 2020, 12:43 Xiejingrong (Jingrong), <xiejingrong@huawei.com <mailto:xiejingrong@huawei.com>> wrote:____
> 
>         Hi WG,
>         My main concern is the security aspect.
>         It has been in discussion in another thread "Questions regarding the security mechanisms".
>         Hope it could be carefully considered and discussed, especially there is the painful example of RH0 deprecated by RFC5095.
>         There is of course RFC6554 and RFC8754 which is designed later after the deprecation and which could be carefully learned and referenced.
> 
>         Ole said and repeated that "In fact I don't see how the CRH draft prevents the RFC5095 attack to happen inside of the CRH limited domain."
>         https://mailarchive.ietf.org/arch/msg/ipv6/UyXsGeI7IDM9_Z1lipG70gIzTLY/
> 
>         I was even worried about whether such attack could happen from Internet if there is no mandatory and deployable security mechanism on the wide boundary of a network.
> 
>         Brian observed the "limited-domain" pattern that is widely used in modern protocol design and put the heavy emphasis on the domain boundary security.
>         https://tools.ietf.org/html/draft-carpenter-limited-domains-13
> 
>         The RFC8754 section 5.1 IMO is the only boundary security mechanism operable/controllable/deployable so far I've seen for an IPv6 network that is widely connected to Internet.
>         Please correct me if you have some other better ones.
>         https://tools.ietf.org/html/rfc8754____
> 
>     __ __
> 
>     RFC4193, a limited domain and local network only address space.____
> 
>     __ __
> 
>     See also slide 50.____
> 
>     __ __
> 
>     "Getting IPv6 Private Addressing Right"____
> 
>     https://www.ausnog.net/sites/default/files/ausnog-2019/presentations/2.3_Mark_Smith_AusNOG2019.pdf____
> 
>     __ __
> 
>     __ __
> 
>     __ __
> 
> 
> 
>         BTW:
>         I don't think it deserved to throw away everything that SRv6/SRH have worked out (e.g., the RFC8754 section 5.1) just to claim the independence on them.
>         I have an I-D of IPv6-EH using many of the design patterns of SRv6/SRH with a reference to RFC8754 but I still insist and show its independent part.
> 
>         Thanks and Best wishes,
>         Jingrong
> 
>         -----Original Message-----
>         From: ipv6 [mailto:ipv6-bounces@ietf.org <mailto:ipv6-bounces@ietf.org>] On Behalf Of Bob Hinden
>         Sent: Saturday, May 16, 2020 6:14 AM
>         To: IPv6 List <ipv6@ietf.org <mailto:ipv6@ietf.org>>
>         Cc: Bob Hinden <bob.hinden@gmail.com <mailto:bob.hinden@gmail.com>>
>         Subject: Adoption Call for "The IPv6 Compact Routing Header (CRH)"
> 
>         This message starts a two-week 6MAN call on adopting:
> 
>          Title:          The IPv6 Compact Routing Header (CRH)
>          Authors:        R. Bonica, Y. Kamite, T. Niwa, A. Alston, L. Jalil
>          File Name:      draft-bonica-6man-comp-rtg-hdr-21
>          Document date:  2020-05-14
> 
>          https://tools.ietf.org/html/draft-bonica-6man-comp-rtg-hdr
> 
>         as a working group item. Substantive comments regarding adopting this document should be directed to the mailing list.  Editorial suggestions can be sent to the authors.
> 
>         Please note that this is an adoption call, it is not a w.g. last call for advancement, adoption means that it will become a w.g. draft.  As the working group document, the w.g. will decide how the document should change going forward.
> 
>         This adoption call will end on 29 May 2020.
> 
>         The chairs note there has been a lot of discussions on the list about this draft.   After discussing with our area directors, we think it is appropriate to start a working group adoption call.  The authors have been active in resolving issues raised on the list.
> 
>         Could those who are willing to work on this document, either as contributors, authors or reviewers please notify the list.   That gives us an indication of the energy level in the working group
>         to work on this.
> 
>         Regards,
>         Bob and Ole
> 
> 
>         --------------------------------------------------------------------
>         IETF IPv6 working group mailing list
>         ipv6@ietf.org <mailto:ipv6@ietf.org>
>         Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>         -------------------------------------------------------------------- ____
> 
> 
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
>