Re: [IPv6] Andrew Alston's Discuss on draft-ietf-6man-sids-05: (with DISCUSS and COMMENT)
Suresh Krishnan <suresh.krishnan@gmail.com> Tue, 30 January 2024 15:55 UTC
Return-Path: <suresh.krishnan@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 42BA8C14CE5D; Tue, 30 Jan 2024 07:55:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E8mdiS_DatU3; Tue, 30 Jan 2024 07:55:25 -0800 (PST)
Received: from mail-oo1-xc2a.google.com (mail-oo1-xc2a.google.com [IPv6:2607:f8b0:4864:20::c2a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F182BC14F70F; Tue, 30 Jan 2024 07:55:19 -0800 (PST)
Received: by mail-oo1-xc2a.google.com with SMTP id 006d021491bc7-59a1896b45eso1411146eaf.1; Tue, 30 Jan 2024 07:55:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1706630119; x=1707234919; darn=ietf.org; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=sssDJEMnAXSHKg9uIdbuklgCa+QVQMPIniNDAq7MsJw=; b=LcdEYAg9ofSq78htN/2k/a+S7Muk+fH7/yvjfNWKS17Bxt/BMLBDe3KGuU5kTJ4Jxd tY0WW5G6uUgcPwFQqwuCEbsO5h6183G6QEL5EPs1ITKROFGRcjlGt6fjqcrVnKy1UOPO s9Ec1P+t3UQHFR/b6GSr1w10rah3KO0U62/MkXOaZ2TEp+BtBK+LqT+eyZvMS+f/DYVc 1m/Zb8pD19lme6yo9k277bmVmDEY2oz08KIMnDTAgE6CisPTjxShxOU4ft36vlXDdHUX E4j02rmHAmEommeTgDD9CKgZhbfFTeKQ3vq9qwGP1MtoXkU5943bY0TzzXJ8kiwehED0 pQGQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706630119; x=1707234919; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=sssDJEMnAXSHKg9uIdbuklgCa+QVQMPIniNDAq7MsJw=; b=AxyTEVr7kUTNEy0MrZqMxVN3DBZd/QBEbPQCcP0B86Hsk1Ef+pPOkP+E9Ax/VGrTE3 fNC6dZXMyLa351RrGOlrUaZDahpPCghAFzMJxsVEpY1ToVQDpl1sqVaRN31ojZyR8egd kPP/CSxQzTvxiZNj4t2OghKs6RaOgSCfxeVxdxKoDw+iZBau5kwQDzZIHfy3yMZy5ktB MFFfDMqwdP6I569N/gOTWtu8mLLN8Z6yHeoIVM7jozxcmeNgcsZVPJtd96g5Ky1BxOl5 F1hiUHm+Y2alEc6zEZFMdr7aLkbz5CW+KI5An9z0J4JV+Wih6pDEI7VRIEV9GapDovnP lj+A==
X-Gm-Message-State: AOJu0YwRjWeM7OexiZzNTdjMQ+PgLhomkQgUFfHQWok8T4tcCtcFtgh5 JmyksnXPvGlBBxLRz/xwga3NMJ+Uw8RwdunddDfIwZxy7YZXO+JFTQPg9tYcS90=
X-Google-Smtp-Source: AGHT+IE5/p49UjzFj91m+hoH6KhRwjt93jdwQG8Njf0DzLvszfGacLt0IzaCfbB0P0nx5P5Z7CfcqA==
X-Received: by 2002:a4a:350c:0:b0:599:ba9c:393a with SMTP id l12-20020a4a350c000000b00599ba9c393amr7815814ooa.0.1706630118826; Tue, 30 Jan 2024 07:55:18 -0800 (PST)
Received: from smtpclient.apple (45-19-110-76.lightspeed.tukrga.sbcglobal.net. [45.19.110.76]) by smtp.gmail.com with ESMTPSA id a11-20020a4ab10b000000b0059984e8d5c0sm1890015ooo.44.2024.01.30.07.55.18 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 30 Jan 2024 07:55:18 -0800 (PST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6\))
From: Suresh Krishnan <suresh.krishnan@gmail.com>
In-Reply-To: <170661460529.51126.2059293570448810187@ietfa.amsl.com>
Date: Tue, 30 Jan 2024 10:55:07 -0500
Cc: The IESG <iesg@ietf.org>, draft-ietf-6man-sids@ietf.org, 6man Chairs <6man-chairs@ietf.org>, 6man <ipv6@ietf.org>, Ole Trøan <otroan@employees.org>, Jen Linkova <furry13@gmail.com>, bob.hinden@gmail.com
Content-Transfer-Encoding: quoted-printable
Message-Id: <27988DD4-C458-4753-B0CB-CA22A7CDF53B@gmail.com>
References: <170661460529.51126.2059293570448810187@ietfa.amsl.com>
To: Andrew Alston <andrew-ietf@liquid.tech>
X-Mailer: Apple Mail (2.3731.700.6)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/WqftIlp7sJzLwt6BxAWi9kOERBs>
Subject: Re: [IPv6] Andrew Alston's Discuss on draft-ietf-6man-sids-05: (with DISCUSS and COMMENT)
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jan 2024 15:55:27 -0000
Hi Andrew, Thanks for your discussion points. Please find responses inline. > On Jan 30, 2024, at 6:36 AM, Andrew Alston via Datatracker <noreply@ietf.org> wrote: > > Andrew Alston has entered the following ballot position for > draft-ietf-6man-sids-05: Discuss > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ > for more information about how to handle DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-6man-sids/ > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > Hi, > > Thank you for the document. There are various portions of this document that I > feel are worthy of a discussion. > > In Abstract the document states: > > "Due to the underlying use of IPv6, Segment Identifiers (SIDs) used by SRv6 can > resemble IPv6 addresses and behave like them while exhibiting slightly > different behaviors in some situations" > > I believe this to be inaccurate - you state further down in the document that > these SID's are used by transit nodes to forward, and treated (not > differentiated) from IPv6 addresses. I am not sure why this is inaccurate. For transit nodes these addresses are treated like any other IPv6 packets. For nodes implementing SRv6 and having the destination address of the packet SRv6 behaviors are implemented. > Now, the way I see it this document is > attempting to have this both ways - either an SRv6 SID is IPv6 address address > - or it isn't. If indeed it is an IPv6 address - it should conform. This was the exact question spring put forward to 6man to clarify. The document clearly states that SRv6 SIDs are not compliant with [RFC4291]. This is the relevant text in Section 3 "It is clear that this format for SRv6 SIDs is not compliant with the requirements set forth in [RFC4291] for IPv6 addresses but it is also clear that SRv6 SIDs are not intended for assignment onto interfaces on end hosts." > If it's > not - then SRv6 is indeed a separate data plane with all the caveats that come > with that. Further more, by stating that SID's are not IPv6 addresses, it > creates an impression that SID's are not routable over the general internet - > which - without special precautions / filters etc - they most certainly are. > Hence I have deep concerns about the impressions this document will create > vis-a-vie the security of SRv6. I do not see the security concern created by this document. Can you please explain an attack that is made possible by this document that is not possible otherwise? > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Section 4.1 of the document is no longer relevant - Spring Working group is > considering CSID (Next/Replace) and only those two, so this section of the > document is probably unnecessary. > > I would also question if since we are talking about special handling of CSID's > - would this document not also be the correct place to deal with fact that in > certain circumstances CSID's result in broken L4 Checksums? Section 4.1 is there only for historical context. Since both you and Jim brought it up as a concern, I think it makes sense to remove it and leave CSID questions to spring. Thanks Suresh
- [IPv6] Andrew Alston's Discuss on draft-ietf-6man… Andrew Alston via Datatracker
- Re: [IPv6] Andrew Alston's Discuss on draft-ietf-… Suresh Krishnan
- Re: [IPv6] Andrew Alston's Discuss on draft-ietf-… Erik Kline