答复: Questions regarding the security mechanisms//RE: CRH and RH0

[qinfengwei <qinfengwei@chinamobile.com>]

Hi Ron and authors,

As a operator, Security is one of the most important factors in whether a
solution could be implemented.
It is hoped that the security aspects will be carefully considered.


Thanks,
Fengwei Qin

-----邮件原件-----
发件人: ipv6 [mailto:ipv6-bounces@ietf.org] 代表 Xiejingrong (Jingrong)
发送时间: 2020年5月14日 23:19
收件人: Ron Bonica; Bob Hinden; Darren Dukes (ddukes)
抄送: 6man
主题: Questions regarding the security mechanisms//RE: CRH and RH0

Hi Ron and authors,
I haven't found much change about the security mechanisms in the latest
revision of this draft. 
So here are some questions I have so far on this aspect (based on the
rev-18):

9.  Security Considerations

   Networks that process the CRH MUST NOT accept packets containing the
   CRH from untrusted sources.  Their border routers SHOULD discard
   packets that satisfy the following criteria:

   o  The packet contains a CRH

   o  The Segments Left field in the CRH has a value greater than 0

   o  The Destination Address field in the IPv6 header represents an
      interface that resides inside of the network.

   Many border routers cannot filter packets based upon the Segments
   Left value.  These border routers MAY discard packets that satisfy
   the following criteria:

   o  The packet contains a CRH

   o  The Destination Address field in the IPv6 header represents an
      interface that resides inside of the network.

[Q1] Do the words 'SHOULD' and 'MAY' mean the protection for boundary is
optional? Or there is no "limited domain" boundary for the CRH ?
    If this is optional, Is it possible for a packet to be constructed and
sent from internet such that it will oscillate between two CRH routers many
times ?

[Q2] Does the word 'MAY' mean a router cannot filter packets based upon the
SL value, but may filter packets contains a CRH ?
    Judging a packets contains a CRH means judging a packet contains a RH
and "Routing Type" field == 5/6;
    Judging a packet whether the SL is greater than 0 means judging a packet
contains a RH and "SL" field !=0;
    I failed to see why a router could do the first one but couldn't do the
second one.
    Besides, could the above two judgements be executed on a border router
if there is a HBH before the RH ?

[Q3] How to judge the "DA represents an interface that resides inside of the
network"? suppose the following diagram:
 
[Internet--------BorderRouter------CRHrouter1------intermediateRouters------
CRHrouter2]
    A packet (SA=internet, DA=CRHrouter1) (CRH SL=1, SID[0]=CRHrouter2,
SID[1]=CRHrouter1) is received by BorderRouter.
    In this case, the DA = CRHrouter1 means "an interface that resides
inside of the network" ?
    If there are 1000 routers say CRHrouter1/2/.../1000, will you consider
to use an IPv6 address block (like 5.1 of RFC8754) for this judgement ?

Best Regards
Jingrong


-----Original Message-----
From: ipv6 [mailto:ipv6-bounces@ietf.org] On Behalf Of Ron Bonica
Sent: Thursday, May 14, 2020 2:28 AM
To: Bob Hinden <bob.hinden@gmail.com>; Darren Dukes (ddukes)
<ddukes=40cisco.com@dmarc.ietf.org>
Cc: 6man <6man@ietf.org>
Subject: RE: CRH and RH0

Bob,

I just posted version 16:

- tracker: https://datatracker.ietf.org/doc/draft-bonica-6man-comp-rtg-hdr/
- diff: https://www.ietf.org/rfcdiff?url2=draft-bonica-6man-comp-rtg-hdr-16

It removes all references to RH0 and is more explicit about operating inside
of a network domain for security reasons.

I still see a use case for the 32-bit SID, so I left that in the draft.

                                                                    Ron


Juniper Business Use Only

-----Original Message-----
From: Bob Hinden <bob.hinden@gmail.com> 
Sent: Wednesday, May 13, 2020 1:29 PM
To: Darren Dukes (ddukes) <ddukes=40cisco.com@dmarc.ietf.org>
Cc: Bob Hinden <bob.hinden@gmail.com>; Ron Bonica <rbonica@juniper.net>;
6man <6man@ietf.org>
Subject: Re: CRH and RH0

Hi,

> On May 13, 2020, at 10:16 AM, Darren Dukes (ddukes)
<ddukes=40cisco.com@dmarc.ietf.org> wrote:
> 
> Hi Ron,
> 
> I'm still trying to figure out where you're going with this.
> First it was SRm6, then an RH0 replacement, then not an RH0 replacement
(in the 6man meeting), then it sort of is...
> 
> So I'm hoping you'll update the draft so I can understand a bit more:
> - CRH has nothing to do with RH0.
> - CRH operates only within a limited domain.

I think these are reasonable suggestions.

I also think only having one size would be helpful.

Bob


> 
> Anything else to clarify from others comments would help too.
> 
> Thanks
>   Darren
> 
>> On May 12, 2020, at 5:36 PM, Ron Bonica <rbonica@juniper.net> wrote:
>> 
>> Ole, Darren,
>> 
>> The CRH is a general purpose Routing header that operates inside of a
network domain. In the sense that it is a general purpose routing header, it
replaces RH0. In the sense that it is restricted to a network domain, it
does not replace RH0.
>> 
>> If adding these two sentences will cause you to support the draft, or at
least not object to it, I will happily add them!
>> 
>> Are these the only objections?
>> 
>>
Ron
>> 
>> 
>> 
>> Juniper Business Use Only
>> 
>> -----Original Message-----
>> From: otroan@employees.org <otroan@employees.org>
>> Sent: Tuesday, May 12, 2020 4:38 PM
>> To: Ron Bonica <rbonica@juniper.net>
>> Cc: Darren Dukes (ddukes) <ddukes@cisco.com>; 6man <6man@ietf.org>
>> Subject: Re: CRH and RH0
>> 
>> [External Email. Be cautious of content]
>> 
>> 
>> Hi Ron,
>> 
>> 
>>> The answer to your question is a bit nuanced. My goals were to build a
general purpose routing header that overcomes the RH0's limitations. Those
being:
>>> 
>>>      - Its size
>>>      - Its security issues
>>> 
>>> Now, is that a replacement for RH0? In one way, yes. RH0 and CRH are
both general purpose routing headers. In another sense, no. RH0 is meant to
traverse network boundaries. But RFC 5095 taught us that letting routing
header traverse network boundaries might not be a wonderful idea. So, CRH is
restricted to a network domain.
>> 
>> If CRH could be a RH0 replacement, you would have to show how the tag
distribution mechanism would work across the Internet?
>> RH0 was supported in every IPv6 node, given the requirement for a
tag->IPv6 address (or is it forwarding method) mapping, I can't quite see
how that would be done in a general enough fashion for CRH?
>> 
>> I don't think RFC5095 taught us that source routing cannot be done across
the Internet.
>> In fact I don't see how the CRH draft prevents the RFC5095 attack to
happen inside of the CRH limited domain.
>> Just send a packet with a list of tag#0, tag#1, tag#0, tag#1 and you have
the same amplification attack.
>> 
>>> And now I return to my original question. When engineering students read
the CRH RFC in 25 years, will they really care what my motivation was? Why
should we burden them with this detail?
>> 
>> To the contrary. Take the motivations and intentions behind IPv6. We have
spent thousands of emails trying to decode what the original intensions with
EHs and their limitations were, why the minimum MTU was 1280, recently I saw
a thread about the reasons for why TTL/HL and protocol/next header was
swapped between v4 and v6. If your protocol is successful, the original
napkin it was designed on will become legend. ;-)
>> 
>> Best regards,
>> Ole
> 
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------

--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------

--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------