RE: Adoption Call for "The IPv6 Compact Routing Header (CRH)"

Ron Bonica <rbonica@juniper.net> Sat, 16 May 2020 04:05 UTC

Return-Path: <rbonica@juniper.net>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB9A93A09BD for <ipv6@ietfa.amsl.com>; Fri, 15 May 2020 21:05:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.272
X-Spam-Level:
X-Spam-Status: No, score=-2.272 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.173, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net header.b=i2qCv71O; dkim=pass (1024-bit key) header.d=juniper.net header.b=Mas6yUKE
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oXyWAicUD1EA for <ipv6@ietfa.amsl.com>; Fri, 15 May 2020 21:05:02 -0700 (PDT)
Received: from mx0b-00273201.pphosted.com (mx0b-00273201.pphosted.com [67.231.152.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E32AE3A08CA for <ipv6@ietf.org>; Fri, 15 May 2020 21:05:01 -0700 (PDT)
Received: from pps.filterd (m0108163.ppops.net [127.0.0.1]) by mx0b-00273201.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 04G42ODf029337; Fri, 15 May 2020 21:04:54 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=PPS1017; bh=8oc4YanJh4Tb6Z1L6z0e2bwtY/KicREZ7VWkt/KiAtg=; b=i2qCv71OTvsj2hC32hvdajwC1nQFPxuSHGqusdfPoXNFIxxhBvDH+MBOPgzfcCwW46A7 drXr5OKDPa1PwaGXBUURkfkAV/KnIWGf5WoLwESJZJHlNL7RFJV2InoA9+TppkNgY1mM LQdFN2cFUpq42wFlv3v68ztydy9fvE4anRNy9SyEfaZdoE2/+z0vf4Aj4P2JrolEm3bU YWUTJqi+YMYFJu/R2jNWqsmuYicFFoCGfpZpEPRXtT1hQgSJbWUK0NKdoxTJ19P56Rf1 jDvlOQgOw3f1zf0kUh2elW2PNVPjLFkNQW0EUE9+SeXVPaZxkq+g3LZhWegXzQDIJlij iA==
Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2100.outbound.protection.outlook.com [104.47.70.100]) by mx0b-00273201.pphosted.com with ESMTP id 3100xwqfup-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 15 May 2020 21:04:54 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=VZChI0VBIzWAmUN+/yG9lNJ0aQMX6cOlQVL9l6FArZ471WCVA60Lv5AOuiaBisZkl2Y764VDoFOrLanqhRgDnrkhsgGd8cWyhgfAVd7f1iJ6kL73tavVaKK8XY+e/Cy7kLGNl6RjjZ8tgmpZnfg768qPbh2wAJh319+N7SY+yc20CzGmY5nh2HlIRFpZL0ldlKti6gRNqTbR40LIrB7eTCukHN1DRzFjqqVMS+eDFrosaSwJo5NkuKOKkU+f+mW4qq2REGEMgOWHISqiX3043L8rC+D2pZ+o4Fikm5HGgv4qOvXwLlkYokmnDEd6FtrHAW4CbgPgY6UxC6n1JMJrSg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8oc4YanJh4Tb6Z1L6z0e2bwtY/KicREZ7VWkt/KiAtg=; b=IMBQQLMGkZU5B3oyuNpyg01MutnRSHECWd/auPlRjly2Ge8Id/Jj42CZ6yxpnhvb7VtwfRWd3GsI3JLczrpStM/4cqfPJCjlUoN5yotPeLuEpDkqsNUVxF0kQea0mgFV9wOPmXap066OaBVhEz8yfSacsqqMf4zVMPz28mJfzE3/LHMvI3SembaQWNYDGb35VM/bqj0FPa8bCJMSRtgAzkf9ILK5Q2CCgGE29+HyNp65P6Hvb9VYTIL57r5qDCJJL6BFlH0GFiit9uRdhnwMvX6tGeKNVvQIjbpwxXZa2TH5ZJGki/nUfvQgfonTj802J5xqWh+UBr+q8Valqt9tkQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=juniper.net; dmarc=pass action=none header.from=juniper.net; dkim=pass header.d=juniper.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8oc4YanJh4Tb6Z1L6z0e2bwtY/KicREZ7VWkt/KiAtg=; b=Mas6yUKE2ohxGqqNSuFmHTVbOOZEoDF9lD9UfldtxnpJjW3/7tZoKuGpP6OA4EkqkRagg+gBq/OADAZQ3N1BEeVqEiRUsl8swdvutyeK7rypiQhZa1K5oGAcEGZpGp1MB2oN8dCtGmcrfPl0VLYDxID/3sLz2NabyFCUK6R711Y=
Received: from DM6PR05MB6348.namprd05.prod.outlook.com (2603:10b6:5:122::15) by DM6PR05MB5481.namprd05.prod.outlook.com (2603:10b6:5:5d::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3000.13; Sat, 16 May 2020 04:04:33 +0000
Received: from DM6PR05MB6348.namprd05.prod.outlook.com ([fe80::c020:3bf5:7230:75e3]) by DM6PR05MB6348.namprd05.prod.outlook.com ([fe80::c020:3bf5:7230:75e3%4]) with mapi id 15.20.3021.010; Sat, 16 May 2020 04:04:33 +0000
From: Ron Bonica <rbonica@juniper.net>
To: "Xiejingrong (Jingrong)" <xiejingrong@huawei.com>, Bob Hinden <bob.hinden@gmail.com>, IPv6 List <ipv6@ietf.org>
Subject: RE: Adoption Call for "The IPv6 Compact Routing Header (CRH)"
Thread-Topic: Adoption Call for "The IPv6 Compact Routing Header (CRH)"
Thread-Index: AQHWKwYspvGUDSz9d0mNMkulZqetX6iqAWwAgAAT5DA=
Date: Sat, 16 May 2020 04:04:33 +0000
Message-ID: <DM6PR05MB63481D9765EA155C167778B4AEBA0@DM6PR05MB6348.namprd05.prod.outlook.com>
References: <19D30186-B180-4F65-BF00-7AD07CEF3925@gmail.com> <92cff01e5eeb4a1e85357e61c8ca63fd@huawei.com>
In-Reply-To: <92cff01e5eeb4a1e85357e61c8ca63fd@huawei.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Enabled=true; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SetDate=2020-05-16T04:04:32Z; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Method=Standard; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Name=0633b888-ae0d-4341-a75f-06e04137d755; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SiteId=bea78b3c-4cdb-4130-854a-1d193232e5f4; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_ActionId=9c5ae7ac-4f4e-426a-a9b2-4b9a9f6fc62b; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_ContentBits=2
dlp-product: dlpe-windows
dlp-version: 11.4.0.45
dlp-reaction: no-action
authentication-results: huawei.com; dkim=none (message not signed) header.d=none;huawei.com; dmarc=none action=none header.from=juniper.net;
x-originating-ip: [108.28.233.91]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 6e68c7d5-1a20-4e07-bc57-08d7f94e3db0
x-ms-traffictypediagnostic: DM6PR05MB5481:
x-microsoft-antispam-prvs: <DM6PR05MB548115486ACFE9E4461C3514AEBA0@DM6PR05MB5481.namprd05.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 040513D301
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: EPFFbmVODsRO9XhUTmxI0C3ay0jO5UMWroTbtJoobKDkUD4zhv5QUpBobpHG03jT+/mdMnaUT/UBkLP4pEjk1WeOxWywrP+PtVbdkZPpS1lPprGBwIhu8G6M/alo2b2DXyDekHKskjGZKrBbmiZ9VBxzRhTJW1t4W3+X6QI8gUvFZdTpgdCzCOOU4mEkCMdvMUO+mG1Z+VGGlgmu2H0Lp3xu0ZNa16n67AWfP6TNe174872nrmJj4igoeopVQYBjrb6xv1kbh5z+DL/8ot5O2TiinlfyY+t8CAQfvUtGHLLV8GdYRWFOyEIAcRr8uSJU0gC4ABta9X4w1gZoLya9uNMVZFlGkIYKSOTKFCfE5dWSiecBA+lYmbAnVsOyG7+rANj9i6UlfVK9z0k+AJ3AuXduSronROOoY0fM9WclQwBqJtIPJlfpcyz73iSvQt3vgQsVSTxhVJ4bVm6RR20ciaDN2b/4RPXE3jq+RIzknY8IKlA7lpapDdesO5pkaTIPgeDpkUd2zABkDOhizFJtdQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR05MB6348.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(396003)(346002)(376002)(136003)(39860400002)(366004)(966005)(66574014)(86362001)(33656002)(71200400001)(110136005)(66556008)(66946007)(64756008)(2906002)(66446008)(66476007)(7696005)(26005)(76116006)(8676002)(478600001)(8936002)(186003)(316002)(5660300002)(53546011)(52536014)(55016002)(9686003)(6506007); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: yDp51O56E7ujqYPwPzykow8GzrxATk44goucuZTmQZ4mr9ft4iR1i2M3jN58LEbJG38BTiKe6Ner6GfnvwALfq2dz7OzssXRFzhZpnF3D7OaOsyOyEwZXukI100btm1nU9qpj9rVfSNiRi3oszxDkzP4CBUL18z2Fmu3tdymb0QM60+tEdBq4sC4N5GTGiY26Jb9pTdWpNrCLMpJpTHvXve79qWCeLNSdXKaC1+IWs2QbqyXt/RQFhNpwVrdAKW16I3U3PlJ1t8oh6GcoHE2jGE2Qv3IoNS42mUmUAZH/H1mTWT4njuGCQccxJAwrFIu5LyKm3QKFzONbdO4BFZeQunzobU25mkSwa/gFNAdw9lseKMGNKyGQLk84Qmd/sSBqiBlkD2Nmt/J0vz1I2upke9NrYRCAqPPjRHD/3gDPYpco7705H8HW6Qgkbuuk8MrMT6+HmIehXt9kArJKj8lsSEqABRt1xwqClM6gOQIdnIH72km7zBCImmwQstafWRg
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: 6e68c7d5-1a20-4e07-bc57-08d7f94e3db0
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 May 2020 04:04:33.2703 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: h8leu9/ngRhE24XHPtYfZbM51+tFpEbuL6GkKicTUrklDjzFHmNZOmz6V70SPKvIvlcUyi2Ki4Kr6BPxFc3nAQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR05MB5481
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.216, 18.0.676 definitions=2020-05-16_02:2020-05-15, 2020-05-16 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 clxscore=1015 adultscore=0 bulkscore=0 impostorscore=0 malwarescore=0 suspectscore=0 phishscore=0 spamscore=0 mlxlogscore=999 priorityscore=1501 lowpriorityscore=0 mlxscore=0 cotscore=-2147483648 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2004280000 definitions=main-2005160032
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/cY9l9GgYmVEb2uy5VRK6cTaEt-c>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 May 2020 04:05:08 -0000

Jingrong,

The CRH security model is nearly identical to the SRH security model. In both cases, domain ingress nodes deploy ACLs that filter potentially harmful packets.

In the case of the SRH, ACLs filter packets addressed to SIDs in the network interior. In the case of CRH, ACLs filter packets that contain the CRH and are addressed to interfaces in the network interior.

In both cases, the processing node can be assured that the Routing header (SRH or CRH) came from a trusted source inside of the network.

                                                                   Ron


Juniper Business Use Only

-----Original Message-----
From: ipv6 <ipv6-bounces@ietf.org> On Behalf Of Xiejingrong (Jingrong)
Sent: Friday, May 15, 2020 10:43 PM
To: Bob Hinden <bob.hinden@gmail.com>om>; IPv6 List <ipv6@ietf.org>
Subject: RE: Adoption Call for "The IPv6 Compact Routing Header (CRH)"

[External Email. Be cautious of content]


Hi WG,
My main concern is the security aspect.
It has been in discussion in another thread "Questions regarding the security mechanisms".
Hope it could be carefully considered and discussed, especially there is the painful example of RH0 deprecated by RFC5095.
There is of course RFC6554 and RFC8754 which is designed later after the deprecation and which could be carefully learned and referenced.

Ole said and repeated that "In fact I don't see how the CRH draft prevents the RFC5095 attack to happen inside of the CRH limited domain."
https://urldefense.com/v3/__https://mailarchive.ietf.org/arch/msg/ipv6/UyXsGeI7IDM9_Z1lipG70gIzTLY/__;!!NEt6yMaO-gk!XNBw5zIRuL9n6EU2w2SwjVeEwumn_mwyb7jKLAdahntyDvjhPixAv0cv2DEng7f6$

I was even worried about whether such attack could happen from Internet if there is no mandatory and deployable security mechanism on the wide boundary of a network.

Brian observed the "limited-domain" pattern that is widely used in modern protocol design and put the heavy emphasis on the domain boundary security.
https://urldefense.com/v3/__https://tools.ietf.org/html/draft-carpenter-limited-domains-13__;!!NEt6yMaO-gk!XNBw5zIRuL9n6EU2w2SwjVeEwumn_mwyb7jKLAdahntyDvjhPixAv0cv2CLne-AK$

The RFC8754 section 5.1 IMO is the only boundary security mechanism operable/controllable/deployable so far I've seen for an IPv6 network that is widely connected to Internet.
Please correct me if you have some other better ones.
https://urldefense.com/v3/__https://tools.ietf.org/html/rfc8754__;!!NEt6yMaO-gk!XNBw5zIRuL9n6EU2w2SwjVeEwumn_mwyb7jKLAdahntyDvjhPixAv0cv2JoLLr1M$

BTW:
I don't think it deserved to throw away everything that SRv6/SRH have worked out (e.g., the RFC8754 section 5.1) just to claim the independence on them.
I have an I-D of IPv6-EH using many of the design patterns of SRv6/SRH with a reference to RFC8754 but I still insist and show its independent part.

Thanks and Best wishes,
Jingrong

-----Original Message-----
From: ipv6 [mailto:ipv6-bounces@ietf.org] On Behalf Of Bob Hinden
Sent: Saturday, May 16, 2020 6:14 AM
To: IPv6 List <ipv6@ietf.org>
Cc: Bob Hinden <bob.hinden@gmail.com>
Subject: Adoption Call for "The IPv6 Compact Routing Header (CRH)"

This message starts a two-week 6MAN call on adopting:

 Title:          The IPv6 Compact Routing Header (CRH)
 Authors:        R. Bonica, Y. Kamite, T. Niwa, A. Alston, L. Jalil
 File Name:      draft-bonica-6man-comp-rtg-hdr-21
 Document date:  2020-05-14

 https://urldefense.com/v3/__https://tools.ietf.org/html/draft-bonica-6man-comp-rtg-hdr__;!!NEt6yMaO-gk!XNBw5zIRuL9n6EU2w2SwjVeEwumn_mwyb7jKLAdahntyDvjhPixAv0cv2LW9qoun$

as a working group item. Substantive comments regarding adopting this document should be directed to the mailing list.  Editorial suggestions can be sent to the authors.

Please note that this is an adoption call, it is not a w.g. last call for advancement, adoption means that it will become a w.g. draft.  As the working group document, the w.g. will decide how the document should change going forward.

This adoption call will end on 29 May 2020.

The chairs note there has been a lot of discussions on the list about this draft.   After discussing with our area directors, we think it is appropriate to start a working group adoption call.  The authors have been active in resolving issues raised on the list.

Could those who are willing to work on this document, either as contributors, authors or reviewers please notify the list.   That gives us an indication of the energy level in the working group
to work on this.

Regards,
Bob and Ole


--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/ipv6__;!!NEt6yMaO-gk!XNBw5zIRuL9n6EU2w2SwjVeEwumn_mwyb7jKLAdahntyDvjhPixAv0cv2NhaaFJ2$
--------------------------------------------------------------------