IETF Logo Mail Archive

Re: Segment Routing Drafts

Tom Herbert <tom@herbertland.com> Sat, 02 March 2019 01:18 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B7363130E99 for <ipv6@ietfa.amsl.com>; Fri, 1 Mar 2019 17:18:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B8xomJ4MLmvG for <ipv6@ietfa.amsl.com>; Fri, 1 Mar 2019 17:18:43 -0800 (PST)
Received: from mail-qt1-x841.google.com (mail-qt1-x841.google.com [IPv6:2607:f8b0:4864:20::841]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B1426130E84 for <ipv6@ietf.org>; Fri, 1 Mar 2019 17:18:43 -0800 (PST)
Received: by mail-qt1-x841.google.com with SMTP id z25so30006329qti.13 for <ipv6@ietf.org>; Fri, 01 Mar 2019 17:18:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ybw0EygMJMp+rQTRSmSz1GzReI/auX+w+Toint+/QJ4=; b=0I1dyHZ1NthBgVjFgkbXueB3ULGVQ4oqlbSTPDXHYU1TFK56Um6vp8SzbUK2QoeqRn DYXvE/EnARPJYxOslISzQlZZSZGxdzcW4u3YBybmEGZQhT2eMfRWX8ZvI3LF6Zkt8N25 52uIXITk3fGq7yWEyIPNpGYvHiD6lmXhiF/Y0JGr2BdZ58EDDaRfn7uz0G7a+sP5LDEg 8Cu3NF7ZzKEIxzyAtUKV5Yr2L93tuDDmU8qvAAuBYfINVemCDNxx/6rFzHMNzgxAujfj 9htQYpk5ZarxQL6hw/Ra/r0MVpzOi6nDuNAYW4DQ0nOF/m/cnUxUvMZ1veVpLYbOJ+Kc Cg3A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ybw0EygMJMp+rQTRSmSz1GzReI/auX+w+Toint+/QJ4=; b=IGGSRuCBVYxEVeVKiBekpr4HzcSO+E7QnV0dwr7pWTHIgRANdYBhm5bQtWZYBJ2aDh raT9DZTGFyHEm0wVPEVO4jzU+LYLlOUjRSvBkjyNgdT8FOu35vtv9LF9oPcwQ2xPAiXR CQWf/w8ubq/FAJ05h7qNdKJu6aeB89ayZp5BfVV76tKW7jMjfjFzR568o6fH1jA7wtQv dYTHYSpod6TuPMVpFCslq00WB333mXAg4Y4evoEdeaem4qIXQdK8OkXQ4JmWviYfGNU1 XlnVo9GhmdcdJKKek+05OypCy0nQd2CVpIRTYQDx9wDM2s4S71sgPhz91iyrY24A9QrN 3rUA==
X-Gm-Message-State: APjAAAWvAjVXvLUVCmk0ra9AeO/slW1iepJfmfPMrLETO2+RSe2oRaxE +iCllGoSFKV58OgbxSxsd2Rs5s2XrONc3KhIMWZh5g==
X-Google-Smtp-Source: APXvYqwrujYNuUAqzSJNRljmGErnpz7LgVM+kpU+1iS2i2zAlq7sou5mh7QS5ww0dQ3DMY/HRQ+vuORLOjwGqi+FoS4=
X-Received: by 2002:a0c:ba13:: with SMTP id w19mr3966493qvf.179.1551489522504; Fri, 01 Mar 2019 17:18:42 -0800 (PST)
MIME-Version: 1.0
References: <BYAPR05MB424560001F76E403A33B94E7AE750@BYAPR05MB4245.namprd05.prod.outlook.com> <341A6C5C-3670-4C8F-A8CA-C80182AC1F3C@gmail.com> <7dffddcd-a810-764e-3929-01d7b400c410@gmail.com> <CALx6S37K-SbZOdmeu1vviDk2paEuyT4QXioXHq+Ok8WXVkfFVQ@mail.gmail.com> <f6df20e6-765a-2787-df78-0a18297f067f@gmail.com>
In-Reply-To: <f6df20e6-765a-2787-df78-0a18297f067f@gmail.com>
From: Tom Herbert <tom@herbertland.com>
Date: Fri, 01 Mar 2019 17:18:30 -0800
Message-ID: <CALx6S342yKSwXH2VGxmQuh7RtmZ7bPqhYnmVH5kFUkuCiiJ+fg@mail.gmail.com>
Subject: Re: Segment Routing Drafts
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
Cc: Fred Baker <fredbaker.ietf@gmail.com>, Ron Bonica <rbonica=40juniper.net@dmarc.ietf.org>, IPv6 List <ipv6@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/bk5oLPiR2iXIH9FmecuIGb5NiAc>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 02 Mar 2019 01:18:46 -0000

On Fri, Mar 1, 2019 at 4:55 PM Brian E Carpenter
<brian.e.carpenter@gmail.com> wrote:
>
> On 02-Mar-19 13:39, Tom Herbert wrote:
> > On Fri, Mar 1, 2019 at 4:23 PM Brian E Carpenter
> > <brian.e.carpenter@gmail.com> wrote:
> >>
> >> On 02-Mar-19 11:25, Fred Baker wrote:
> >>>
> >>>
> >>>> On Feb 27, 2019, at 8:22 PM, Ron Bonica <rbonica=40juniper.net@dmarc.ietf.org> wrote:
> >>>> - https://datatracker.ietf.org/doc/draft-bonica-6man-oam/
> >>>
> >>> I read this draft, and was immediately puzzled. The OAM option is useful if and only if it is implemented and configured, and (per the security considerations) is a reason the packet should not be permitted to enter aa subsequent network.
> >>
> >> The text is confusing. It says:
> >>
> >>    Network operators should block packets containing these extension
> >>    headers at their boundary.
> >>
> >> I hope that that is meant to say:
> >>
> >>    Network operators should block packets containing the OAM option
> >>    at their boundary.
> >>
> >> Because clearly it is way out of scope for this draft to address
> >> firewall recommendations in general (which anyway are covered by
> >> draft-ietf-opsec-ipv6-eh-filtering, currently "Waiting_for_AD_Go-Ahead").
> >>
> >>> As such, it is only useful on a small subset of the systems it encounters, and only in the originating network.
> >>>
> >>> Am I reading this correctly?
> >>
> >> Well, if it is intended as part of the segment routing specs,
> >> that needs to be stated in the draft. If so, it presumably inherits
> >> the property of segment routing that it only works within a Segment
> >> Routing Domain (https://tools.ietf.org/html/rfc8402#page-6)
> >> and the OAM option would be blocked at the domain boundary.
> >>
> >
> > Hi Brian,
> >
> > I don't see how facility is specific to segment routing. It seems like
> > a more general OAM service. That's also true of the VPN Context
> > Information Option.
>
> That's possible, but I'm going by Ron's cover note. It doesn't change
> my comment or Fred's very much though: if there isn't an SR domain
> boundary, the text clearly assume there is some sort of boundary
> where packets might be dropped.
> >
> >> Which is one of the motivations for draft-carpenter-limited-domains,
> >> of course.
> >>
> > As opposed to relying on an external firewall that may or may not
> > exist or being correctly configured to enforce a limited domain, I
> > suggest that the source itself should be responsible to decide whether
> > it's safe and feasible to use this option or any extension header to
> > some destination. Note that if the extension header is causing
> > problems, it's only the source that will be able to detect the problem
> > and take action (e.g. only the source node would receive an ICMP error
> > caused by an extension header).
>
> Or it would simply disappear into black hole. But basically I agree,
> the source (and the boundary node that might drop packets) needs to
> know what it's doing. Exactly why the limited-domains draft has
> these requirements:
>
> >>    7.  Verify Peer.  A node must be able to verify whether another node
> >>        is a member of the domain.
> >>
> >>    8.  Verify Role.  A node must be able to learn the verified role of
> >>        another node.  In particular, it must be possible for a node to
> >>        find boundary nodes (interfacing to the Internet).
>
True, but then I don't understand why these particular options
couldn't be exposed beyond a limited domain to the Internet. Claming
the scope as requirement would be restricting the potential value of
the feature I think. Suppose for instance that I am have trouble
reaching a node on the Internet. If I could attach OAM directives to
packets destined for the Internet then I can at least get some in-situ
measurements about what is happening in my local network. The only
alternative I see would be to encapsulate packets and tunnel then
across the domain to an egress point, but then the act of tunneling
can completely change the traffic flow and obscure the underlying
issue. What we really want in cases like this is a means in insert
options that are directed to the local network (domain), but are
otherwise transparent outside of the domain (FAST is designed along
these lines).

Tom

>    Brian

v2.23.0 | Report a Bug | By Email