RE: I-D Action: draft-ietf-6man-ipv6-alt-mark-07.txt
Giuseppe Fioccola <giuseppe.fioccola@huawei.com> Fri, 23 July 2021 08:05 UTC
Return-Path: <giuseppe.fioccola@huawei.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB8393A0A21; Fri, 23 Jul 2021 01:05:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.196
X-Spam-Level:
X-Spam-Status: No, score=-4.196 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nfoFjBfE1nws; Fri, 23 Jul 2021 01:05:26 -0700 (PDT)
Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DFB6A3A0A22; Fri, 23 Jul 2021 01:05:25 -0700 (PDT)
Received: from fraeml708-chm.china.huawei.com (unknown [172.18.147.207]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4GWM5K3CtZz6H7hY; Fri, 23 Jul 2021 15:53:41 +0800 (CST)
Received: from fraeml714-chm.china.huawei.com (10.206.15.33) by fraeml708-chm.china.huawei.com (10.206.15.36) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2176.2; Fri, 23 Jul 2021 10:05:17 +0200
Received: from fraeml714-chm.china.huawei.com ([10.206.15.33]) by fraeml714-chm.china.huawei.com ([10.206.15.33]) with mapi id 15.01.2176.012; Fri, 23 Jul 2021 10:05:17 +0200
From: Giuseppe Fioccola <giuseppe.fioccola@huawei.com>
To: Stewart Bryant <stewart.bryant@gmail.com>
CC: Erik Kline <ek.ietf@gmail.com>, Christopher Wood <caw@heapingbits.net>, Yoshifumi Nishida <nsd.ietf@gmail.com>, "6man@ietf.org" <6man@ietf.org>, "draft-ietf-6man-ipv6-alt-mark.all@ietf.org" <draft-ietf-6man-ipv6-alt-mark.all@ietf.org>
Subject: RE: I-D Action: draft-ietf-6man-ipv6-alt-mark-07.txt
Thread-Topic: I-D Action: draft-ietf-6man-ipv6-alt-mark-07.txt
Thread-Index: AQHXfwgCOCI2j/vX70eW5vzZ4q36tqtQMPRA
Date: Fri, 23 Jul 2021 08:05:17 +0000
Message-ID: <7cd2e5abee2c4205a75fc77804250a6e@huawei.com>
References: <162438559975.15179.9747247210680035503@ietfa.amsl.com> <9bfa6dc92ed441899d61c8c09860a460@huawei.com> <CAMGpriWyXtPZQwa-mKAGc0r1iK624mvjoqs=77akApORP7A1yw@mail.gmail.com> <ea7246fe81b140fba42e6d202c2afc8b@huawei.com> <E395A6ED-CFD3-4388-B127-04575DBA5710@gmail.com>
In-Reply-To: <E395A6ED-CFD3-4388-B127-04575DBA5710@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.48.219.152]
Content-Type: multipart/alternative; boundary="_000_7cd2e5abee2c4205a75fc77804250a6ehuaweicom_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/V6PUWCGUtowOF-f6qa6EEOoi0sY>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Jul 2021 08:05:31 -0000
Hi Stewart, Yes, my intention is to specify that, if it is needed to apply the Alternate Marking outside a controlled domain (e.g. e2e service monitoring) authentication MUST necessarily be used. Regards, Giuseppe From: Stewart Bryant <stewart.bryant@gmail.com> Sent: Thursday, July 22, 2021 4:43 PM To: Giuseppe Fioccola <giuseppe.fioccola@huawei.com> Cc: Stewart Bryant <stewart.bryant@gmail.com>; Erik Kline <ek.ietf@gmail.com>; Christopher Wood <caw@heapingbits.net>; Yoshifumi Nishida <nsd.ietf@gmail.com>; 6man@ietf.org; draft-ietf-6man-ipv6-alt-mark.all@ietf.org Subject: Re: I-D Action: draft-ietf-6man-ipv6-alt-mark-07.txt HI, Later in the text in section 6 (security) it says As stated above, the precondition for the application of the Alternate Marking is that it MUST be applied in specific controlled domains, thus confining the potential attack vectors within the network domain. If section 2 text is weaked, it both contradicts and weakens the security assumptions. I suppose you could say that authentication MUST be used if the protocol is deployed outside a controlled domain, but I don’t think you can let it run in the wild as is. - Stewart On 22 Jul 2021, at 15:08, Giuseppe Fioccola <giuseppe.fioccola@huawei.com<mailto:giuseppe.fioccola@huawei.com>> wrote: Hi Erik, Thanks for the input. I tend to agree that the condition “MUST” can be changed to “SHOULD”. I can address your comments in the -08 version. Regards, Giuseppe From: Erik Kline <ek.ietf@gmail.com<mailto:ek.ietf@gmail.com>> Sent: Wednesday, July 21, 2021 11:15 PM To: Giuseppe Fioccola <giuseppe.fioccola@huawei.com<mailto:giuseppe.fioccola@huawei.com>> Cc: Stewart Bryant <stewart.bryant@gmail.com<mailto:stewart.bryant@gmail.com>>; Christopher Wood <caw@heapingbits.net<mailto:caw@heapingbits.net>>; Yoshifumi Nishida <nsd.ietf@gmail.com<mailto:nsd.ietf@gmail.com>>; 6man@ietf.org<mailto:6man@ietf.org>; draft-ietf-6man-ipv6-alt-mark.all@ietf.org<mailto:draft-ietf-6man-ipv6-alt-mark.all@ietf.org> Subject: Re: FW: I-D Action: draft-ietf-6man-ipv6-alt-mark-07.txt Giuseppe, I think in S2.1 "MUST NOT" be used outside a "controlled domain" is perhaps a bit too strong. Similarly in S6, "MUST be applied in...controlled domains" might be moderated down to "SHOULD only be applied...". I'll note that it is possible for an AH option to be used to ensure the DstOpt variant is unmodified en route, and these two in conjunction can be used wherever desired to send such packets outside the given domain (subject, of course, to all the middlebox interference any such packet would inevitably receive -- but that's a separate issue). On Tue, Jun 22, 2021 at 11:27 AM Giuseppe Fioccola <giuseppe.fioccola@huawei.com<mailto:giuseppe.fioccola@huawei.com>> wrote: Dear Stewart, Christopher, Yoshi, All, Please note that I just submitted a new version of the draft. It has been thoroughly reviewed to address the comments received during the Last Call. Your inputs are always welcome. Regards, Giuseppe -----Original Message----- From: ipv6 <ipv6-bounces@ietf.org<mailto:ipv6-bounces@ietf.org>> On Behalf Of internet-drafts@ietf.org<mailto:internet-drafts@ietf.org> Sent: Tuesday, June 22, 2021 8:13 PM To: i-d-announce@ietf.org<mailto:i-d-announce@ietf.org> Cc: ipv6@ietf.org<mailto:ipv6@ietf.org> Subject: I-D Action: draft-ietf-6man-ipv6-alt-mark-07.txt A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the IPv6 Maintenance WG of the IETF. Title : IPv6 Application of the Alternate Marking Method Authors : Giuseppe Fioccola Tianran Zhou Mauro Cociglio Fengwei Qin Ran Pang Filename : draft-ietf-6man-ipv6-alt-mark-07.txt Pages : 21 Date : 2021-06-22 Abstract: This document describes how the Alternate Marking Method can be used as a passive performance measurement tool in an IPv6 domain. It defines a new Extension Header Option to encode Alternate Marking information in both the Hop-by-Hop Options Header and Destination Options Header. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-6man-ipv6-alt-mark/ There is also an htmlized version available at: https://datatracker.ietf.org/doc/html/draft-ietf-6man-ipv6-alt-mark-07 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-6man-ipv6-alt-mark-07 Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org<mailto:ipv6@ietf.org> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
- I-D Action: draft-ietf-6man-ipv6-alt-mark-07.txt internet-drafts
- FW: I-D Action: draft-ietf-6man-ipv6-alt-mark-07.… Giuseppe Fioccola
- Re: FW: I-D Action: draft-ietf-6man-ipv6-alt-mark… Erik Kline
- RE: FW: I-D Action: draft-ietf-6man-ipv6-alt-mark… Giuseppe Fioccola
- Re: I-D Action: draft-ietf-6man-ipv6-alt-mark-07.… Stewart Bryant
- Re: I-D Action: draft-ietf-6man-ipv6-alt-mark-07.… Mike Simpson
- RE: I-D Action: draft-ietf-6man-ipv6-alt-mark-07.… Giuseppe Fioccola
- RE: I-D Action: draft-ietf-6man-ipv6-alt-mark-07.… Giuseppe Fioccola
- Re: I-D Action: draft-ietf-6man-ipv6-alt-mark-07.… Mark Smith
- Re: I-D Action: draft-ietf-6man-ipv6-alt-mark-07.… Stewart Bryant
- RE: I-D Action: draft-ietf-6man-ipv6-alt-mark-07.… Giuseppe Fioccola
- Re: I-D Action: draft-ietf-6man-ipv6-alt-mark-07.… Mark Smith
- Re: I-D Action: draft-ietf-6man-ipv6-alt-mark-07.… Brian Carpenter
- RE: I-D Action: draft-ietf-6man-ipv6-alt-mark-07.… Haoyu Song
- Re: I-D Action: draft-ietf-6man-ipv6-alt-mark-07.… Brian E Carpenter