Re: [IPv6] Fwd: Updated review of draft-ietf-6man-eh-limits-08
Tom Herbert <tom@herbertland.com> Mon, 12 February 2024 15:35 UTC
Return-Path: <tom@herbertland.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 587DDC14F5F4 for <ipv6@ietfa.amsl.com>; Mon, 12 Feb 2024 07:35:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RL0OGKUKfJU8 for <ipv6@ietfa.amsl.com>; Mon, 12 Feb 2024 07:35:37 -0800 (PST)
Received: from mail-ed1-x52e.google.com (mail-ed1-x52e.google.com [IPv6:2a00:1450:4864:20::52e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C064C14F6A5 for <ipv6@ietf.org>; Mon, 12 Feb 2024 07:35:37 -0800 (PST)
Received: by mail-ed1-x52e.google.com with SMTP id 4fb4d7f45d1cf-5610b9855a8so7434168a12.0 for <ipv6@ietf.org>; Mon, 12 Feb 2024 07:35:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland.com; s=google; t=1707752135; x=1708356935; darn=ietf.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=3rkC22cj052nfKO9/bGxGerJPd34ZZgcgodEWLJeasU=; b=VYCydfF0DOqY2KRHzjugtPSdpFZpMdGKwywAe/+z87NBlDKeo2AzMwjLxnm/z/jZ1R br3YFy6xhJ3VKqgLKFI3IETH+E33eR/GCrnCCIMqHmpBwVyHoP39KrjV7lWR5JIERHz8 tI94fAYdkUsqfX5iULEWx3yUsh1hKPChyzZJ3OAc8ZEb3Zj0Rn4rvdp9gFKiRxeseEH/ IZ0Ld3agbfUqd6TGcgOQ+scuxxqPNpYltokWErhMu8pQ+WJafb7l3FCbVHrogDDDXwgj TY7xvhq6FejhAfAjJTUUXkSHptdG3eV2ayhYXwo6Ybn8Kt0DV4OP+RRCCSWN5pepP8aI 4VpA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707752135; x=1708356935; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=3rkC22cj052nfKO9/bGxGerJPd34ZZgcgodEWLJeasU=; b=bmn5tTlquRuyf3HmuIvh+q0dY5qTGuCXTxpDtYSUiANHCmI2NCO5x1Hj81LUSaJ+KT 80/6gCOATwkDpJ8tiibr0+3fcrfYji3ry1CBkuLbrzac7FJeuCD36Fd6iEkdZf0RKvsO tVGgBc+LredzOeu4UrpxXWqZAPbSnPKJeSGZ4dtgQNpVCuz0u5bOAq6EME6jY8TW2NNF 4p4Xn4xri41haZA0lpIriFz8hKNesu81sWhKkWE+HPSWI1JQaskVcx9xovkU7/4UOBQX lCxCIX6WjSQRIKDFNed4TAksOZODQjd5SrCinxUf+tKi/4/ezbgjuPbh4xTE341g/X77 PDBQ==
X-Gm-Message-State: AOJu0Yz+k3KNSu/UxX5lmHHRmH1/eN3IdwVfFLqTO3x3FGjbwJ9vNG3K FuIc31/YYJQzFO7asPvOKsoGOKP3/2RoCQhkVQowqJDWB41dP9IbL5QMH4fh8hHZ6nLJDpoLcBf DUEjV//Z+xn/yIZfe/Pddt0N51zIgg3uZFrwArjlToIXxHge36Q==
X-Google-Smtp-Source: AGHT+IGX1YdAi/8grGXsyHYkIKuhLQ/JoL4lwIoI9/K68c6le6o5sgqZhBUidBJzcDCyhKxBNXXliYA8letVPy7eghU=
X-Received: by 2002:a05:6402:248e:b0:561:aa6:32f5 with SMTP id q14-20020a056402248e00b005610aa632f5mr9859621eda.18.1707752135098; Mon, 12 Feb 2024 07:35:35 -0800 (PST)
MIME-Version: 1.0
References: <CAFU7BAQXxe_qTscyMyVZ9kefozKqKd4VEexiOdi9ZkM0fa-=tg@mail.gmail.com> <CALx6S37Kcgp2r6DsMMoYi9cWH13UQbO2=m607snZNs6g0kwXbQ@mail.gmail.com> <CALx6S35HvbArrdu8M++tnihYJXwHG_tbrL3wvuMTUJzfZu1YPQ@mail.gmail.com> <PH7PR11MB847822F0FF64EB7B65796392DAAEA@PH7PR11MB8478.namprd11.prod.outlook.com>
In-Reply-To: <PH7PR11MB847822F0FF64EB7B65796392DAAEA@PH7PR11MB8478.namprd11.prod.outlook.com>
From: Tom Herbert <tom@herbertland.com>
Date: Mon, 12 Feb 2024 07:35:23 -0800
Message-ID: <CALx6S37wA-7pFp2V0_B+8L9Gx0TLRfdiAyszfi=TJjbub5e_6A@mail.gmail.com>
To: "Frank Brockners (fbrockne)" <fbrockne=40cisco.com@dmarc.ietf.org>
Cc: 6man <ipv6@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/bRQZnlAj7GNx_kglT-XdMwKVJTs>
Subject: Re: [IPv6] Fwd: Updated review of draft-ietf-6man-eh-limits-08
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Feb 2024 15:35:41 -0000
On Fri, Nov 10, 2023, 1:33 AM Frank Brockners (fbrockne) <fbrockne=40cisco.com@dmarc.ietf.org> wrote: > > Hi Tom, > > Thanks for taking on the challenge - or call it fun journey - to tackle this topic. > > > > > > > > > We think that terms like limited domains will make this challenging to > > > get through the IESG given it’s lack of clear IETF definition. Note, > > > we are not suggesting that it be defined here, better to remove it. > > > The text about explicit knowledge should cover this. > > > > Note that limited domain is not referred to in any of the normative > > requirements specified in the draft. We could reference RFC8799 if that > > would help, or remove all instances of the term. Which would be better? > > Given that the definition of "limited domain" seems to distinguish whether "this draft applies to me or not" (whether I'm an equipment vendor and/or deployer of equipment), IMHO it is very important to be specific of what this "limited domain" is. > Frank, Sorry for log response time, this was in my Drafts. > Per your note, RFC8799 isn't a useful reference, given that it is not an IETF document. It's useful as an informative reference. > > SRv6 defines a "segment routing domain" (RFC8402), IOAM defines an "IOAM domain" (RFC9486). Both RFCs don't define a "limited domain". Right, there's no normative definition of "limited domain", but they are limited domains in the sense that they are controlled domains and not the open Internet. > > > As such, would the definitions in the document apply to IOAM domains? Would they apply to SRv6 domains? The document seems to imply that the answer would be "no", by stating "For instance, the IOAM Hop-by-Hop option is intended for use in limited domains" in Section 2.2. > I.e., if I'm an equipment vendor that builds equipment for data center and enterprise networks that might deploy IOAM, this draft isn't for me. Similarly, if I'm a service provider that deploys an SRv6 backbone, this draft isn't for me either. The draft is specific here. "If it is known that all communicating parties for a particular communication, including destination hosts and any routers in the path, are capable of supporting more than the baseline then these default limits may be freely exceeded." and requirements for limits for sending hosts has a normative exception to that effect, for instance "A source host SHOULD NOT send a packet with an IPv6 header chain larger than 104 bytes unless it has explicit knowledge that all possible routers, intermediate nodes, and the destination host in the path are able to process a larger IPv6 header chain." So if a host is sending IOAM or SR to a destination within the respective domain then the limits can be exceeded because all the paths are well known and intended to support the EH. But, if the destination is outside of the IOAM domain or SR domain then the limits would be applicable since part of the path traverses networks that may or may not have sufficient support. Without additional information, a host doesn't know what the capabilities of a path are so the default limits would apply. Also, you may want to look at draft-herbert-eh-inflight-removal, this would allow hosts to exceed the limits assuming extension headers are removed if a packet egresses the network. For instance, this would be useful to use segment routing to route a packet to an egress router into the open Internet. While the packet is in the SR domain, SR EH is productively used, and at the egress HBH SR is removed since it contains information not useful to the outside world and forwarding the packet without HBH increases probability of successful delivery. > > > What I'd personally appreciate is a definition where the draft applies, rather than try to specify where is does not apply. The limits are the defaults on a sending host. The defaults don't apply "If it is known that all communicating parties for a particular communication, including destination hosts and any routers in the path, are capable of supporting more than the baseline then these default limits may be freely exceeded.". In practice, these are only guidelines for the sending application that we likely wouldn't enforce in the (Linux) stack. If someone configures IOAM or SR for some routes then we assume that they are sending into an IOAM or SR domain and not into the Internet and they understand the ramifications if those packets leak out of the domain. Tom > > > Cheers, Frank > > >
- Re: [IPv6] Updated review of draft-ietf-6man-eh-l… Jen Linkova
- [IPv6] Fwd: Updated review of draft-ietf-6man-eh-… Tom Herbert
- Re: [IPv6] Fwd: Updated review of draft-ietf-6man… Frank Brockners (fbrockne)
- Re: [IPv6] Fwd: Updated review of draft-ietf-6man… Tom Herbert