Re: Adoption Call for "The IPv6 Compact Routing Header (CRH)"

Mark Smith <markzzzsmith@gmail.com> Sat, 16 May 2020 23:09 UTC

Return-Path: <markzzzsmith@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C37B23A0BDA for <ipv6@ietfa.amsl.com>; Sat, 16 May 2020 16:09:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.928
X-Spam-Level: *
X-Spam-Status: No, score=1.928 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.626, HK_RANDOM_FROM=0.999, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HSOx_vWxpEEu for <ipv6@ietfa.amsl.com>; Sat, 16 May 2020 16:09:24 -0700 (PDT)
Received: from mail-oi1-x22c.google.com (mail-oi1-x22c.google.com [IPv6:2607:f8b0:4864:20::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D04DA3A0BD8 for <ipv6@ietf.org>; Sat, 16 May 2020 16:09:23 -0700 (PDT)
Received: by mail-oi1-x22c.google.com with SMTP id i13so5730549oie.9 for <ipv6@ietf.org>; Sat, 16 May 2020 16:09:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=xb08pUM2eXtRaGHxroSx7bMrs/yQxLystzZuMfU9P1o=; b=WRM7UrmejokSElXJIiCSH7sVCy7sbSAejUPvuJmE+Iau98/kEHnSR8/chA3qnK070Q mtydQ2C8Sjyj8bOME8PiKJLlt2iDA6THJDtOjxwUUDI//pxx3bzXb6LBM8UJKY1uhWEC XxD5EtfzLc6arT4ABcNRuEDEs4VZGhqjdHAylL909ohMxvujMTaoEHH5fF5KFzfcFGOg JfQVEq5jKpVKzkp8wZzGNuUshnl0UJutPgzXMwoEv6iYHZg8mIslUYCjcU/JrFuA70Ut /0fQZt8VyMvzPuY57Dee0x1lZO7EeNJQ/xBt5ANGyffduMuMhdx2tmI6w9wrrrUHF6YJ wgbQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=xb08pUM2eXtRaGHxroSx7bMrs/yQxLystzZuMfU9P1o=; b=MrEDbTO2PQL/bzyqLQPelxSClbTw/WaJlq1WKzu13ETQu7KjWCiBwdzS1mmS4sbnlY 26TIZJGmYpwXPAKlzb6c0yeqjO+knfAGfwNGyS0ZwnaGlcrxSoLrpCA1inNQo1FCChJS aJUok3TZ5YxWsZZnQplZEMrftACXxCeHG2/89CJFo+3KW0qs35Lw0QdhDLTNOTPTep13 EbCPov4wn9uBOsQFGga3bGWtNjFi6YMS1uK8gGjyQQvXVm6Z1Ct8XriFKiw/QPHQVEcR o6yN6NGxqNEJDPQX2FIsvuCn08GtYnivMFxix8DYUMGtKUZKSHtYVs8sc2ZcRzabRcMR lcyw==
X-Gm-Message-State: AOAM531UsigMoZfyXc9QVKcHoMNqWqFZ43jUdmwDdH2HIRirEf28LG1n xGgwKdxYvu9Uewpi98QNjRrGOV72Gw/O78YG4W8=
X-Google-Smtp-Source: ABdhPJz8mjhw+hY/6PKxxmRg8joJ9KQNYXin4qi92AgJj46ya4L6C5xivxx37NcgyetLkmdh47BQfC0OoZ6uiMqOLFM=
X-Received: by 2002:aca:7284:: with SMTP id p126mr6596894oic.54.1589670563049; Sat, 16 May 2020 16:09:23 -0700 (PDT)
MIME-Version: 1.0
References: <19D30186-B180-4F65-BF00-7AD07CEF3925@gmail.com> <92cff01e5eeb4a1e85357e61c8ca63fd@huawei.com> <CAO42Z2zq4=QS7=NwnYtshf8rOUym+axC-F54ZnJxJs7jM8RP-w@mail.gmail.com> <24b140e4f15a41ceb3de9f91cde35e74@huawei.com>
In-Reply-To: <24b140e4f15a41ceb3de9f91cde35e74@huawei.com>
From: Mark Smith <markzzzsmith@gmail.com>
Date: Sun, 17 May 2020 09:09:11 +1000
Message-ID: <CAO42Z2wUoQoWaLAemOpNUJXNBJbTMT2wyDsWvgk91Bj8bB8k-A@mail.gmail.com>
Subject: Re: Adoption Call for "The IPv6 Compact Routing Header (CRH)"
To: "Xiejingrong (Jingrong)" <xiejingrong@huawei.com>
Cc: Bob Hinden <bob.hinden@gmail.com>, IPv6 List <ipv6@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000038736705a5cc0566"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/bwIy53LRucGjYcZaWlpxIsDaXf4>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 May 2020 23:09:26 -0000

Hi Jingrong,

On Sat, 16 May 2020, 18:18 Xiejingrong (Jingrong), <xiejingrong@huawei.com>
wrote:

> Hi Mark
>
> Thanks for the introduction of RFC4193.
>
> The RFC8754 boundary security mechanism is still unique IMO.
>
> The IPv6 ULA is just a candidate element of the mechanism, instead of the
> mechanism itself.
>

So the ULA address space inherently has a lot of the security properties of
the measures described in RFC8754, and that is by design.

If packets with ULA DAs leak because of a default route pointing out of the
local network, they'll be dropped by the first default free Internet router
they encounter.

By default, the ULA prefix of fc00::/7 and longer are not supposed to be
advertised to or accepted by external networks, unless there is an
agreement to route their ULA /48s between them, so interdomain routing of
ULAs is not the default, unlike IPv6 public GUA addresses.

Packets that leak with a ULA source addresses will be caught by an upstream
BCP38 source address filter.

ACLs should be used with ULA address spaces, however they only add to the
existing inherent ULA security properties. ACLs used with global IPv6
addresses would be the only security measure, making the ACL
mechanism/enforcement a single point of failure.

A lot of things have to go wrong for a packet that leaks with a ULA source
or destination address to cause a negative effect on an external node. If
that is still a concern, AH could be used so the packet fails
authentication when it arrives at the external node, or ESP could be used
so the payload looks like a bunch of random bits.

The intended forwarding and reachability domain for a network 's ULA prefix
is the local network only, in contrast to global IPv6 GUA addresses where
the forwarding and reachability domain is anywhere on the Internet.

So the ULA address space is a natural fit for traffic that is intended to
be constrained to the local network, such as this case for the local
network imposed tunnelling encapsulation to add information via the CRH.

Regards,
Mark.

>
>
> Thanks
>
> Jingrong
>
>
>
> *From:* Mark Smith [mailto:markzzzsmith@gmail.com]
> *Sent:* Saturday, May 16, 2020 11:05 AM
> *To:* Xiejingrong (Jingrong) <xiejingrong@huawei.com>
> *Cc:* Bob Hinden <bob.hinden@gmail.com>om>; IPv6 List <ipv6@ietf.org>
> *Subject:* Re: Adoption Call for "The IPv6 Compact Routing Header (CRH)"
>
>
>
>
>
> On Sat, 16 May 2020, 12:43 Xiejingrong (Jingrong), <xiejingrong@huawei.com>
> wrote:
>
> Hi WG,
> My main concern is the security aspect.
> It has been in discussion in another thread "Questions regarding the
> security mechanisms".
> Hope it could be carefully considered and discussed, especially there is
> the painful example of RH0 deprecated by RFC5095.
> There is of course RFC6554 and RFC8754 which is designed later after the
> deprecation and which could be carefully learned and referenced.
>
> Ole said and repeated that "In fact I don't see how the CRH draft prevents
> the RFC5095 attack to happen inside of the CRH limited domain."
> https://mailarchive.ietf.org/arch/msg/ipv6/UyXsGeI7IDM9_Z1lipG70gIzTLY/
>
> I was even worried about whether such attack could happen from Internet if
> there is no mandatory and deployable security mechanism on the wide
> boundary of a network.
>
> Brian observed the "limited-domain" pattern that is widely used in modern
> protocol design and put the heavy emphasis on the domain boundary security.
> https://tools.ietf.org/html/draft-carpenter-limited-domains-13
>
> The RFC8754 section 5.1 IMO is the only boundary security mechanism
> operable/controllable/deployable so far I've seen for an IPv6 network that
> is widely connected to Internet.
> Please correct me if you have some other better ones.
> https://tools.ietf.org/html/rfc8754
>
>
>
> RFC4193, a limited domain and local network only address space.
>
>
>
> See also slide 50.
>
>
>
> "Getting IPv6 Private Addressing Right"
>
>
> https://www.ausnog.net/sites/default/files/ausnog-2019/presentations/2.3_Mark_Smith_AusNOG2019.pdf
>
>
>
>
>
>
>
>
>
> BTW:
> I don't think it deserved to throw away everything that SRv6/SRH have
> worked out (e.g., the RFC8754 section 5.1) just to claim the independence
> on them.
> I have an I-D of IPv6-EH using many of the design patterns of SRv6/SRH
> with a reference to RFC8754 but I still insist and show its independent
> part.
>
> Thanks and Best wishes,
> Jingrong
>
> -----Original Message-----
> From: ipv6 [mailto:ipv6-bounces@ietf.org] On Behalf Of Bob Hinden
> Sent: Saturday, May 16, 2020 6:14 AM
> To: IPv6 List <ipv6@ietf.org>
> Cc: Bob Hinden <bob.hinden@gmail.com>
> Subject: Adoption Call for "The IPv6 Compact Routing Header (CRH)"
>
> This message starts a two-week 6MAN call on adopting:
>
>  Title:          The IPv6 Compact Routing Header (CRH)
>  Authors:        R. Bonica, Y. Kamite, T. Niwa, A. Alston, L. Jalil
>  File Name:      draft-bonica-6man-comp-rtg-hdr-21
>  Document date:  2020-05-14
>
>  https://tools.ietf.org/html/draft-bonica-6man-comp-rtg-hdr
>
> as a working group item. Substantive comments regarding adopting this
> document should be directed to the mailing list.  Editorial suggestions can
> be sent to the authors.
>
> Please note that this is an adoption call, it is not a w.g. last call for
> advancement, adoption means that it will become a w.g. draft.  As the
> working group document, the w.g. will decide how the document should change
> going forward.
>
> This adoption call will end on 29 May 2020.
>
> The chairs note there has been a lot of discussions on the list about this
> draft.   After discussing with our area directors, we think it is
> appropriate to start a working group adoption call.  The authors have been
> active in resolving issues raised on the list.
>
> Could those who are willing to work on this document, either as
> contributors, authors or reviewers please notify the list.   That gives us
> an indication of the energy level in the working group
> to work on this.
>
> Regards,
> Bob and Ole
>
>
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
>
>