Re: I-D Action: draft-vyncke-6man-segment-routing-security-00.txt
Brian E Carpenter <brian.e.carpenter@gmail.com> Fri, 11 July 2014 20:50 UTC
Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 66BB21B2BD1 for <ipv6@ietfa.amsl.com>; Fri, 11 Jul 2014 13:50:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GB4RqsC6cLrW for <ipv6@ietfa.amsl.com>; Fri, 11 Jul 2014 13:50:00 -0700 (PDT)
Received: from mail-pd0-x22c.google.com (mail-pd0-x22c.google.com [IPv6:2607:f8b0:400e:c02::22c]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AD8F71B29FB for <ipv6@ietf.org>; Fri, 11 Jul 2014 13:50:00 -0700 (PDT)
Received: by mail-pd0-f172.google.com with SMTP id w10so1991886pde.3 for <ipv6@ietf.org>; Fri, 11 Jul 2014 13:50:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=8npcbtRpFkcVoLnK/eHC9IOW+o8OYvPAk08ra4ODAdg=; b=QzmmgifX1SwWcUIA/gGusKDykCCCVJpQu6pYrMLDFleJjonfG+Nv6R7wsg9h1UQp99 rB5zfpSiYkw9ySAg5V28w67Ekawhm93TEO1S0FgUADpD5s1a4Wcsb1WDI46RVv1REsVD Td6e6anr3f929rUne6DarRMuQSzWxQOYXxAL5GxdihxJ5sm8zlUNpXZMvVFYEi/mFHJk +frX16+qjR3QYfjbvbwLtuvCpPK3iP8CsBnaUpQMFq/cSwd1WxHkh/KD5VSF/zyroE9c rVkyXNGeORAp522LA8xG92x+WycilCrSNb2a+aaF9+x+3uJRrLgAt5GTkgdXVOQgzHhn z3Ug==
X-Received: by 10.68.252.41 with SMTP id zp9mr1075216pbc.65.1405111800421; Fri, 11 Jul 2014 13:50:00 -0700 (PDT)
Received: from [192.168.178.23] (217.199.69.111.dynamic.snap.net.nz. [111.69.199.217]) by mx.google.com with ESMTPSA id qu5sm13179576pab.10.2014.07.11.13.49.57 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 11 Jul 2014 13:49:59 -0700 (PDT)
Message-ID: <53C04E01.40300@gmail.com>
Date: Sat, 12 Jul 2014 08:50:09 +1200
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
Subject: Re: I-D Action: draft-vyncke-6man-segment-routing-security-00.txt
References: <20140703134709.19452.78442.idtracker@ietfa.amsl.com> <53BF5A67.7050401@gmail.com> <CFE56204.20B2F%evyncke@cisco.com>
In-Reply-To: <CFE56204.20B2F%evyncke@cisco.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/ipv6/YM6u0BqkSbe_-hqlQ9wPEYbLoNI
Cc: 6man <ipv6@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Jul 2014 20:50:02 -0000
Eric,
On 11/07/2014 19:54, Eric Vyncke (evyncke) wrote:
> Brian
>
> Thanks for your review.
>
> You are right extension headers are _usually_ inserted by the source.
When we were working on RFC 7045, I went through various RFCs very
carefully to check on this point. There is nothing anywhere that
allows intermediate nodes to insert headers. The whole mechanism
is designed on the assumption that the source node creates all
headers, and performs fragmentation if needed, as well as being
responsible for PMTUD of course.
> But,
> this is not _always_ the case, for instance, we can argue that ESP/AH in
> tunnel mode can be added by a security gateway.
Tunnel mode is irrelevant, because the outer header (that
includes an IPsec header) encapsulates the inner header,
which is unchanged. It's very clear in section 5.1.2.2 of
RFC 4301. (There are two fields in the inner header, ECN
and hop limit, that get updated by the decapsulator.)
> So, inserting a SRH is not that exceptional.
On the contrary, it's completely exceptional.
> Of course, special care must
> be taken for MTU but in the use case this would not be a problem as SRH is
> used mainly within a single operator, so, a prerequisite is to have a
> larger MTU on all internal links.
"Mainly" is not good enough. I agree that we sometimes specify
things that only work within a single administrative domain, but
that has to be spelled out and architecturally clear.
> Note: I just quickly read again RFC 2460, and, I did not find any place
> where it is specified that extension header must be inserted only by the
> source. If my reading is wrong, then this is another reason to propose
> this I-D to 6MAN ;-)
It's true that it isn't stated in those words. It's just clearly implied.
Stefano,
On 11/07/2014 20:35, Stefano Previdi (sprevidi) wrote:
> On Jul 11, 2014, at 5:30 AM, Brian E Carpenter wrote:
...
>> > It seems that draft-previdi-6man-segment-routing-header-01 has the
>> > same problem. It says:
>> >
>>> >> When creating the SRH (either at ingress node or in the SDN
>>> >> controller) the following is done:
>>> >>
>>> >> Next Header and Hdr Ext Len fields are set according to [RFC2460].
>>> >>
>>> >> Routing Type field is set as TBD (SRH).
>>> >>
>>> >> The DA of the packet is set with the address of the FIRST segment
>>> >> of the path.
>> >
>> > (etc.)
>> >
>> > These are operations that can only be done by the host that creates
>> > the IPv6 packet, which is also the only place that a fragment header
>> > can be included if needed. As I understand it, the "ingress node" is
>> > a router, not the originating host. So this seems to be broken.
>
>
> well, unless the multiple interoperable implementations we have are
> also broken, I can tell you (and show you) it's a reality that works
> well, that address a set of requirements (especially in terms of
> service chaining) and "routers" can happily insert extensions headers.
Well, it would be interesting to know how those implementations
work when there is a marginal MTU inolved and/or when the hosts
are using IPsec. It doesn't alter the fact that as far as the
design of IPv6 extension headers goes, this is a hack.
> Now, let's agree on the definition of "router". If it's a device
> acting at layer 3 and that "routes" packets based on DA and FIB
> instructions, then it is obvious that a router can insert an SRH.
No it isn't; it's obvious that routing headers were designed to
be created by the originating host, before calculating the payload
length and before deciding whether a fragment header is needed.
I can imagine in an SDN context that the source host is
instructed by the SDN controller to insert a specific SRH.
I can imagine a model where the source host includes an
blank SRH that can be updated by the ingress router.
But the model suggested in these two drafts where an ingress
router inserts an SRH is definitely incompatible with RFC 2460.
Brian
- Re: I-D Action: draft-vyncke-6man-segment-routing… Brian E Carpenter
- Re: I-D Action: draft-vyncke-6man-segment-routing… Eric Vyncke (evyncke)
- Re: I-D Action: draft-vyncke-6man-segment-routing… Stefano Previdi (sprevidi)
- Re: I-D Action: draft-vyncke-6man-segment-routing… Brian E Carpenter