IETF Logo Mail Archive

Re: [IPv6] Andrew Alston's Discuss on draft-ietf-6man-sids-05: (with DISCUSS and COMMENT)

Erik Kline <ek.ietf@gmail.com> Wed, 31 January 2024 15:52 UTC

Return-Path: <ek.ietf@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B30BC14F713; Wed, 31 Jan 2024 07:52:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.105
X-Spam-Level:
X-Spam-Status: No, score=-7.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rTW9pzPx6-pq; Wed, 31 Jan 2024 07:52:21 -0800 (PST)
Received: from mail-pj1-x102a.google.com (mail-pj1-x102a.google.com [IPv6:2607:f8b0:4864:20::102a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EE9E8C14F6B5; Wed, 31 Jan 2024 07:52:01 -0800 (PST)
Received: by mail-pj1-x102a.google.com with SMTP id 98e67ed59e1d1-295f3bf41d5so380394a91.0; Wed, 31 Jan 2024 07:52:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1706716321; x=1707321121; darn=ietf.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=z5gXJj94PLhD4GXHUbMayz08sXWSbU1Q2t8hYujONXE=; b=LE1Hj/YFa66ozg3LTzIumi6aiEQ6z+KakOl2H6v/hhhRDUKpdn+TH1c+nJozoGanWU a3Rb99E0A/QUM6GB7q8TI0L9qO+lyCd05WJh+2CdBnOsJjPZuNiL5sndbcKszN+au79X xF57beWmYa1fKwD9V5KdMtdPbyqCLhSaCMNGSxq8RuO0R7nqOpT7LzsFceXf3eVrrPSE IVXIEJmELTTDPgxqyCcfggnmMWFG7Twz19mvLLUtEB9K8tS1ryvLR8DMz+f1vrFMWVZR 1K4aNlSTzHO0d21zTMq5kQ+xolFODbg22qjj3BYFgNKgt523U7KC933POAT82HQLAyWP 55qg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706716321; x=1707321121; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=z5gXJj94PLhD4GXHUbMayz08sXWSbU1Q2t8hYujONXE=; b=bVHNQsSCM7qetQz8DHJGgAtDT8sl9Fw0uNuLqy1pYpmn65nGAaDtE+7JjmDZNKNtAV r7gpfAcxbo56Rlb9UNWdHk6DWYoSfVvwIm8U3h8EBe34znKgfROf3+uH8s7U+0kys+h8 OBkiz6SuDd7EfROEhaTkAjEZ4jl/FCGLyENowBdXPlJC+Weir/E2gKnm9zzhWFj4HF9l qlumUsCKI8yTTW2CayKnP5ePJonsvNKOYgDCvDCPjRmpsvUrgwlfb1xSMod9SZEubuMx /4TPdy9dMIFxO0HqiIJG95ZEMwW897QS4VTZQom2f3THC4Rv7sB83mnV/PzfAfHmLYkc YFYA==
X-Gm-Message-State: AOJu0YwCE+vcx92a3BYEx/G/yhEDe1TshrVy8O0eb0u7EGyDuhgTBQ4B h5LaviJ1kao/ZJrhn2HBCotSDGkaRZ/qRUJfZ5o+TA/TabjWAZLzFs6oOHcUNcRsjQ/3bEDUFxI OUCWO1JOwKrhY7np9bYh8vgWdZK4=
X-Google-Smtp-Source: AGHT+IFQ+DiODeM1LQLHsJXSAt2ya7EooUrR+JTqeIbMhS59+aHFgtBaXEKSi5tgzObk27/d9zJbLrxMYSFEhl5RphA=
X-Received: by 2002:a17:90a:d702:b0:28f:f249:3c4a with SMTP id y2-20020a17090ad70200b0028ff2493c4amr5085451pju.19.1706716321158; Wed, 31 Jan 2024 07:52:01 -0800 (PST)
MIME-Version: 1.0
References: <170661460529.51126.2059293570448810187@ietfa.amsl.com> <27988DD4-C458-4753-B0CB-CA22A7CDF53B@gmail.com>
In-Reply-To: <27988DD4-C458-4753-B0CB-CA22A7CDF53B@gmail.com>
From: Erik Kline <ek.ietf@gmail.com>
Date: Wed, 31 Jan 2024 07:51:49 -0800
Message-ID: <CAMGpriV+n5TZ6ArrXqUTE79k_N4yyHUDBSYH+yvMPYa8Rqs7eg@mail.gmail.com>
To: Suresh Krishnan <suresh.krishnan@gmail.com>
Cc: Andrew Alston <andrew-ietf@liquid.tech>, 6man <ipv6@ietf.org>, bob.hinden@gmail.com, The IESG <iesg@ietf.org>, draft-ietf-6man-sids@ietf.org, 6man Chairs <6man-chairs@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/f7X4vpsCGZ2G1cjyFO3RBU-7HNQ>
Subject: Re: [IPv6] Andrew Alston's Discuss on draft-ietf-6man-sids-05: (with DISCUSS and COMMENT)
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Jan 2024 15:52:22 -0000

On Tue, Jan 30, 2024 at 7:55 AM Suresh Krishnan
<suresh.krishnan@gmail.com> wrote:
>
> Hi Andrew,
>   Thanks for your discussion points. Please find responses inline.
>
> > On Jan 30, 2024, at 6:36 AM, Andrew Alston via Datatracker <noreply@ietf.org> wrote:
> >
> > Andrew Alston has entered the following ballot position for
> > draft-ietf-6man-sids-05: Discuss
> >
> > When responding, please keep the subject line intact and reply to all
> > email addresses included in the To and CC lines. (Feel free to cut this
> > introductory paragraph, however.)
> >
> >
> > Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/
> > for more information about how to handle DISCUSS and COMMENT positions.
> >
> >
> > The document, along with other ballot positions, can be found here:
> > https://datatracker.ietf.org/doc/draft-ietf-6man-sids/
> >
> >
> >
> > ----------------------------------------------------------------------
> > DISCUSS:
> > ----------------------------------------------------------------------
> >
> > Hi,
> >
> > Thank you for the document.  There are various portions of this document that I
> > feel are worthy of a discussion.
> >
> > In Abstract the document states:
> >
> > "Due to the underlying use of IPv6, Segment Identifiers (SIDs) used by SRv6 can
> > resemble IPv6 addresses and behave like them while exhibiting slightly
> > different behaviors in some situations"
> >
> > I believe this to be inaccurate - you state further down in the document that
> > these SID's are used by transit nodes to forward, and treated (not
> > differentiated) from IPv6 addresses.
>
> I am not sure why this is inaccurate. For transit nodes these addresses are treated like any other IPv6 packets. For nodes implementing SRv6 and having the destination address of the packet SRv6 behaviors are implemented.
>
> >  Now, the way I see it this document is
> > attempting to have this both ways - either an SRv6 SID is IPv6 address address
> > - or it isn't.  If indeed it is an IPv6 address - it should conform.
>
> This was the exact question spring put forward to 6man to clarify. The document clearly states that SRv6 SIDs are not compliant with [RFC4291]. This is the relevant text in Section 3
>
> "It is clear that this format for SRv6 SIDs is not compliant with the requirements set forth in [RFC4291] for IPv6 addresses but it is also clear that SRv6 SIDs are not intended for assignment onto interfaces on end hosts."

Andrew,

I think this is exactly the point: the document doesn't say SIDs
sometimes are IPv6 addresses and sometimes aren't, rather it says they
are IPv6 addresses but not 4291 addresses (like NAT64, ORCHID, etc).

> > If it's
> > not - then SRv6 is indeed a separate data plane with all the caveats that come
> > with that.  Further more, by stating that SID's are not IPv6 addresses, it
> > creates an impression that SID's are not routable over the general internet -
> > which - without special precautions / filters etc - they most certainly are.
> > Hence I have deep concerns about the impressions this document will create
> > vis-a-vie the security of SRv6.
>
> I do not see the security concern created by this document. Can you please explain an attack that is made possible by this document that is not possible otherwise?
>
> >
> >
> > ----------------------------------------------------------------------
> > COMMENT:
> > ----------------------------------------------------------------------
> >
> > Section 4.1 of the document is no longer relevant - Spring Working group is
> > considering CSID (Next/Replace) and only those two, so this section of the
> > document is probably unnecessary.
> >
> > I would also question if since we are talking about special handling of CSID's
> > - would this document not also be the correct place to deal with fact that in
> > certain circumstances CSID's result in broken L4 Checksums?
>
> Section 4.1 is there only for historical context. Since both you and Jim brought it up as a concern, I think it makes sense to remove it and leave CSID questions to spring.
>
> Thanks
> Suresh
>
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email