IETF Logo Mail Archive

RE: Packets leaking and escaping from domains ....

"Pascal Thubert (pthubert)" <pthubert@cisco.com> Mon, 11 May 2020 08:28 UTC

Return-Path: <pthubert@cisco.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E9F213A0908 for <ipv6@ietfa.amsl.com>; Mon, 11 May 2020 01:28:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.598
X-Spam-Level:
X-Spam-Status: No, score=-9.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=fCkZdI1+; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=Aja+VN+N
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4Br8wrNvpL55 for <ipv6@ietfa.amsl.com>; Mon, 11 May 2020 01:28:17 -0700 (PDT)
Received: from alln-iport-1.cisco.com (alln-iport-1.cisco.com [173.37.142.88]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A80C3A0901 for <ipv6@ietf.org>; Mon, 11 May 2020 01:28:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5854; q=dns/txt; s=iport; t=1589185697; x=1590395297; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=mrWH7Gi5aNtOqYVDGeFVHfVaCCU1UPO812tBT4kDxWA=; b=fCkZdI1+AqDgUqEuNDF5/PE6XBILXlKBKMZqrFSNtmtQyTNoTbPtYtBk F8SyZh+mqsQUBaXrRfpa0yivNBSnx/vSkgenRY5ancgd+Zw+qoxthJ/RN UZ73PvBVcMDs7tD0Zr0KJqABGxRavpN7Waii5arydURJb6XDtJloGhFIU k=;
IronPort-PHdr: 9a23:rSMmNByA8qpBxsTXCy+N+z0EezQntrPoPwUc9psgjfdUf7+++4j5ZRaBt/VgllXER5nf4vRIzeHRtvOoVW8B5MOHt3YPONxJWgQegMob1wonHIaeCEL9IfKrCk5yHMlLWFJ/uX3uN09TFZX+akfYr2eu6TcUFlP0Mg8mbujwE5TZ2sKw0e368pbPYgJO0Ty6Z746LBi/oQjL8McMho43IacqwRyPqXxNKOk=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CJAADkC7le/4gNJK1mHAEBAQEBAQcBARIBAQQEAQFAgTMHAQELAYFTUQVvWC8sh2oDhFiIaoEOlymBLoEkA1QLAQEBDAEBGAsKAgQBAYREAoIOJDQJDgIDAQELAQEFAQEBAgEFBG2FKggkDIVxAQEBAQMBARAoBgEBLAsBCwQCAQgRBAEBAR4QJwsdCAIEAQ0FCBqDBYJLAy4BDqIOAoE5iGF0gTSDAQEBBYUpGIIOAwaBOAGCYoJJhxgagUE/gRFDgh8uPoJnAQEDgTkrg0WCLY5KpCUKgkqIG4pXhVOCXDOINJF3kB2JWpNQAgQCBAUCDgEBBYFSOYFWcBU7gmlQGA2NN4MJg3KFFIVCdDcCBggBAQMJfItPB4I+AQE
X-IronPort-AV: E=Sophos;i="5.73,379,1583193600"; d="scan'208";a="476452501"
Received: from alln-core-3.cisco.com ([173.36.13.136]) by alln-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 11 May 2020 08:28:16 +0000
Received: from XCH-ALN-003.cisco.com (xch-aln-003.cisco.com [173.36.7.13]) by alln-core-3.cisco.com (8.15.2/8.15.2) with ESMTPS id 04B8SGRM001039 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 11 May 2020 08:28:16 GMT
Received: from xhs-rtp-002.cisco.com (64.101.210.229) by XCH-ALN-003.cisco.com (173.36.7.13) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 11 May 2020 03:28:16 -0500
Received: from xhs-aln-001.cisco.com (173.37.135.118) by xhs-rtp-002.cisco.com (64.101.210.229) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 11 May 2020 04:28:15 -0400
Received: from NAM02-BL2-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-001.cisco.com (173.37.135.118) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Mon, 11 May 2020 03:28:15 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=LDSz/Ds7hJEi4UiYk6I4/zJ7bu6WCkz1QbVpOaYPtWkc5KAFLYSZyvjwg+z2AY7jYarmllouR7tGtHTNi+SmAmbZwJjhds1C3Y/zFdYBOYIVqHEPyxgP+4ng+g9Om+xL6I7cc8fm/m5jYlJt3joOklBrmLsO/Xg3DrGfK6OqUKfuIJQzcVwJq0QOg6YZTbbanZ54ULG6EbOr7AM1PGLzjs7pjseoM97vc+TCgJqicvIfG9LOaVLMFNt6CHr+tLM6ZrxWzmuU7F9GFJrQ7R9xQPjlmqA1X6zSbUNIYfcpkL72plCSmlYq9Wn8YxOLlly2/viS9wDj2XPS3Ya/rMZftg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4PN8sa3TJZUveTpyrigxsQYnwlVgwgI1X4TLUJb6SXI=; b=WucBbeJCqy44ym6mO1R5OznAj3gf/nJeIHHi+Klft9/OpM8HlR7BiYmTA8SB2FiVjyXBDFSlwXDdTRGtpwjp1YKP/WTUqznMHFtoUGr6+2U8g4FsGQHVLGXWcAdUSinl4vHbfThxgUNmC6euprSLLEzrSZPaUuumIyqKuYgeJDjH1ZA7CmRn+rHaxPOJPRASXYTwedILV7WBVh+Z0lGHX9z23FHnXlE4lSxCoKDbmkOpKEGXW7eRd0a4uMOyO+VqcIgM23tQcpcZn80KeDaYOXZa8jeZjM12hxSGpdSBsku8zpnfvSilAxllozgRyMM5JEvXWs+52RV6yKhkmQWiug==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4PN8sa3TJZUveTpyrigxsQYnwlVgwgI1X4TLUJb6SXI=; b=Aja+VN+NDbRQK+Nk8HadWiUCon8Rz0O9CvLqsb9ao0gsyAMWvCOTcIM8AV0yl3QudoT18DJxXgQ5dzN5o0LzonXUA/4dnoD5xTwhAjpEeP1Dfwhvw2oiqlWiF4h4pqk7I5jY1ZRsytoRDmXHQ09+UN0WWcBq3Bnx/TVWGopTXlU=
Received: from MN2PR11MB3565.namprd11.prod.outlook.com (2603:10b6:208:ea::31) by MN2PR11MB4552.namprd11.prod.outlook.com (2603:10b6:208:263::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2979.34; Mon, 11 May 2020 08:28:14 +0000
Received: from MN2PR11MB3565.namprd11.prod.outlook.com ([fe80::113b:3127:ef12:ea7]) by MN2PR11MB3565.namprd11.prod.outlook.com ([fe80::113b:3127:ef12:ea7%7]) with mapi id 15.20.2979.033; Mon, 11 May 2020 08:28:14 +0000
From: "Pascal Thubert (pthubert)" <pthubert@cisco.com>
To: Tom Herbert <tom@herbertland.com>, Robert Raszuk <robert@raszuk.net>
CC: 6man WG <ipv6@ietf.org>
Subject: RE: Packets leaking and escaping from domains ....
Thread-Topic: Packets leaking and escaping from domains ....
Thread-Index: AQHWJq6aAn7Pc7dozU26Y4YZCSpmM6ihKkcAgAABPoCAAEJMAIAABxsAgABccoCAALyDwA==
Date: Mon, 11 May 2020 08:28:12 +0000
Deferred-Delivery: Mon, 11 May 2020 08:28:10 +0000
Message-ID: <MN2PR11MB3565D1888914B979FC059287D8A10@MN2PR11MB3565.namprd11.prod.outlook.com>
References: <CAOj+MMG22BVKvb8tFBUOjPZUjWNvY-Pe7+-mmpXV0gxhn1zBiw@mail.gmail.com> <8f6a6db1-86c5-144b-8f51-9824d1e8dc47@foobar.org> <CAOj+MMHzV=mTjdM8WGrPxujLWBAMg59tZgKzVM4JuJU5=o84NQ@mail.gmail.com> <CALx6S346T8GoQEamVyWm18mcpdyf-GrnAM+QUJcQ2euTM6qWcg@mail.gmail.com> <CAOj+MMHgE3xMDnXrr5z2N-7vCEhdM3D81upRXddFJgNtJ5oddw@mail.gmail.com> <CALx6S37D9ibNhpYAYGkqqxX69zP6yJ2vnfA9sA+RKDNh0Jr5Lw@mail.gmail.com>
In-Reply-To: <CALx6S37D9ibNhpYAYGkqqxX69zP6yJ2vnfA9sA+RKDNh0Jr5Lw@mail.gmail.com>
Accept-Language: fr-FR, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: herbertland.com; dkim=none (message not signed) header.d=none;herbertland.com; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [2a01:cb1d:4ec:2200:e0cb:e75f:88ac:d5ed]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: ad39cfc3-3e2b-470d-ae40-08d7f5853f87
x-ms-traffictypediagnostic: MN2PR11MB4552:
x-microsoft-antispam-prvs: <MN2PR11MB455254BF4A16D056B252CDFED8A10@MN2PR11MB4552.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 04004D94E2
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: k2xM7MfX7VICEJZkK5Ovg4sFwJwV9MTJXp740Q8gYjcG8ypgC0WRKrvKSYl2VTRnkTem3GUYX6PGMNjiqETv3T1kxuTxbBc/j/TV6GMRgHCC/M6Pt6bApzitQPKkBzzDxPygxU9Sf7q6+hsH7BZp/KIedmGFiaBAwWtP7/4Ezie19JPQ0P4UdTm0fCAAZUNECLgUQniU77gD+yeNNFP2adeS3CVFrrzsvU9QEeYi7aosQ0G7Emyans3W5BTW0bZDbvowsT1cQhZVTRhEpNXMZ+HYtsQ3wBRoZvN1ySJb+8nF+T9jog9db6K8rE1WvjEGL/b53iVBaD77x2bqRb6DNV+sJcQvC+/DtavKUcV/u/lJi917D3f6xMKX0vm8ky/qU6RcQxfZxBHPyCQP0Vzsultwej77Ty6kztHRruFA15hpU7PfpeRf4h6nxD++k9DaO+QGa1TNnCA0CqCDNrtSVvaapW6YC/q3iyTSHnTjbK6CnQikdsg+projT5ziQUY0wUoOUyR+QSP6+cnjSG5faXG2xrGhHPvVCXWNpmHammYRJqoZjkoyJDQUVLu1iym+oKETN+014j6ej8C3agB1K79KkAt6wIC1V9lLxMqm868=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR11MB3565.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(346002)(376002)(39860400002)(396003)(136003)(366004)(33430700001)(5660300002)(86362001)(8676002)(76116006)(66556008)(66476007)(66446008)(64756008)(966005)(66946007)(478600001)(33440700001)(186003)(33656002)(52536014)(4326008)(71200400001)(110136005)(2906002)(53546011)(6506007)(316002)(8936002)(66574014)(9686003)(55016002)(7696005); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: O/tYoffVwXhGzMun5LCuiZVzGIJF5MY2VS3v0DBN+ctIHDgttWWP6u5qe/lO4m06ocTk00ka4aETHZIJ7e/jP36SqBTRJy0n6RvvD2f2Rjf1BZmvth2PvR30f7hTU863BS8iAinghCZKR0r3vK4ApQdTyL1Xy0NESBK3k+D0tMR0Go0GLDUF1CCAy156p+2SuGLOOx66kQflNd1ONAdzoVLKCZ+BPUfXLUxb+pm16/QURMjIqspdKh3MPngJGaikjdN3BFw+PJPmm6mfbfGyD/CnWPM9IzT4s6gI5h4w4ervGBjQUyUU69xMN0vjr6LHzpi116fac37ydKVwLvaqsqttYCoe+cCmyorF2wzgT7R98SU2YNBYTGCn6+jbYYW11gEMjUmQk0eSKtYRW14c3gJb2EguQ6+rrb1w4VZnnVat4JU4xjjrZKAtzF59QHfDLZiDFGM3ij9mRUzh6AZquHo2CoLXbtZZH77A45aALJwn6YNro9emwuan+HM58SVifhlBpMA0WGBRlneFBFBSwAeGWoeNfGD4oCJQdBsmUqjp5its5X+tyaf3zT4GxsbG
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: ad39cfc3-3e2b-470d-ae40-08d7f5853f87
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 May 2020 08:28:13.9557 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: kylq4jHncBTuICVumQx0IfpX97uxIrvhuLK4a1vX6h4TKnMk0ahNzCzCRONnl3yPptVoMU2gPGbQz1BxSI1/EQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB4552
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.13, xch-aln-003.cisco.com
X-Outbound-Node: alln-core-3.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/VtAmKZGKBUQeCo8n3bVB2ZktK_w>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 May 2020 08:28:25 -0000

Hello Robert

This requirement has similarities with the HoA in MIPv6, so indeed it appears feasible;

Keep safe,

Pascal

> -----Original Message-----
> From: ipv6 <ipv6-bounces@ietf.org> On Behalf Of Tom Herbert
> Sent: dimanche 10 mai 2020 23:10
> To: Robert Raszuk <robert@raszuk.net>
> Cc: 6man WG <ipv6@ietf.org>
> Subject: Re: Packets leaking and escaping from domains ....
> 
> On Sun, May 10, 2020 at 8:39 AM Robert Raszuk <robert@raszuk.net> wrote:
> >
> > Hi Tom,
> >
> > The problems described by RFC7872 do not talk about IPv6 bugs and drops
> due to presence of Routing Headers.
> >
> > I think we have heard so many times that RHs MUST not be processed by
> transit nodes - nodes which DA address is not in the DA of the packet.
> >
> > So here you are stating that there is another fear that routers will drop a
> IPv6 packet if it contains Routing Header of some sort. Worse sender for some
> reason will not know about it.
> >
> > I think facts as documented in current deployments actually prove
> > otherwise:
> > https://tools.ietf.org/html/draft-matsushima-spring-srv6-deployment-st
> > atus-04
> >
> > I am yet to see a single prove that not a final destinations neither segment
> endpoints just drop IPv6 transit packets if it contains single SRH (or for that
> matter even multiple SRHs legally or illegally inserted). Till then let's assume
> that IPv6 actually works both in the Internet as well as in private domains.
> >
> Robert,
> 
> Except that neither IPv6 nor SRv6, nor any reasonable IETF protocol for that
> matter, ever make the assumption that protocols "just work".
> In the real world there are various conditions and that's why we need error
> reporting, like from ICMP, and error handling. For instance,
> RFC8754 prescribes sending of ICMP errors in response to errors about the
> SRH. That RFC is also very clear that the ICMP error is sent to the source
> address of that packet. So if an ICMP error is sent for a packet that contains an
> inserted header, the error goes to the original source of the packet not to the
> node that inserted the header. That begs the obvious question: how is a host
> receiving the error supposed to process an ICMP error containing headers that
> it didn't actually send. For instance, if the ICMP error indicates a parameter
> problem in the inserted header what is the host supposed to do with that? Is
> there a way to signal the network that it's doing something wrong? What if it's
> a PTB message but the host path MTU is already 1280 for a path?
> 
> Please note, I am specifically asking for the normative requirements of the
> protocol being defined, just saying there's deployment and you haven't seen
> any problems so far isn't sufficient.
> 
> Tom
> 
> > Many thx,
> > Robert.
> >
> >
> > On Sun, May 10, 2020 at 5:13 PM Tom Herbert <tom@herbertland.com>
> wrote:
> >>
> >> On Sun, May 10, 2020 at 4:17 AM Robert Raszuk <robert@raszuk.net>
> wrote:
> >> >
> >> >
> >> >> this is the heart of what we're talking about: the current
> >> >> proposal on the table is not compatible with legacy nodes.
> >> >
> >> >
> >> > Of course it is.
> >> >
> >> > For non SR capable IPv6 transit nodes not acting as SR segment endpoints
> all they see is a plain IPv6 packet.
> >> >
> >>
> >> Robert,
> >>
> >> You seem to be assuming that non-SR node will just ignore an inserted
> >> header; we know that isn't always true. There will be a fair number
> >> of routers or hosts that will drop packets with a segment routing
> >> extension header (like described in RFC7872). A limited domain
> >> doesn't guarantee this issue goes away. So a problem occurs when the
> >> inserted header causes loss or corruptions at any downstream node
> >> irrespective of whether the downstream router supports SR. When this
> >> happens there is no feedback loop to the node inserting headers that
> >> it is causing harm. The source host might detect packets are being
> >> lost or might even get an ICMP error, but in either case it cannot
> >> take any action to rectify the problem since it's not the one causing
> >> the problem and they will have no idea as to who that might be. Even
> >> if the network operator does notice some node dropping packets, they
> >> still would need to reverse engineer who inserted the headers which
> >> requires more than just looking at the packet and might not be a
> >> simple exercise escpecially if the packet has crossed domains.
> >>
> >> I believe this is a fundamental problem and it violates the sending
> >> clause of the robustness principle.  Attribution of packet contents
> >> is critical and RFC8200 is very clear that the source host "owns" the
> >> IPv6 headers and is specific about the conditions that intermediate
> >> nodes are allowed to modify packets in transit. This is the
> >> motivation for draft-herbert-6man-eh-attrib-00, packets with inserted
> >> headers would at least include an indicate of what exactly has been
> >> inserted and who the responsible party is.
> >>
> >> Tom
> >>
> >> > One would hope at least we all agree on that ....
> >> >
> >> >
> >> > -------------------------------------------------------------------
> >> > - IETF IPv6 working group mailing list ipv6@ietf.org Administrative
> >> > Requests: https://www.ietf.org/mailman/listinfo/ipv6
> >> > -------------------------------------------------------------------
> >> > -
> 
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email