IETF Logo Mail Archive

[IPv6] Routing Headers and limited domains (Was Re: Adoption call for draft-bonica-6man-comp-rtg-hdr

Tom Herbert <tom@herbertland.com> Tue, 31 October 2023 16:47 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CFC5DC170604 for <ipv6@ietfa.amsl.com>; Tue, 31 Oct 2023 09:47:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DDrTAjpdtPPl for <ipv6@ietfa.amsl.com>; Tue, 31 Oct 2023 09:47:04 -0700 (PDT)
Received: from mail-pg1-x529.google.com (mail-pg1-x529.google.com [IPv6:2607:f8b0:4864:20::529]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AAEFCC170600 for <ipv6@ietf.org>; Tue, 31 Oct 2023 09:47:04 -0700 (PDT)
Received: by mail-pg1-x529.google.com with SMTP id 41be03b00d2f7-5b9a453d3d3so1747162a12.0 for <ipv6@ietf.org>; Tue, 31 Oct 2023 09:47:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland.com; s=google; t=1698770823; x=1699375623; darn=ietf.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=sydEARXNxIabskzKfHEqXiJg09bOi9Kce9Z0+gD5iRs=; b=Y1WLtu7ehZWxlwtGi7zJ6KT+KeIUv1kX7JdtCm0vPif/9o+ZZjdHJT5F+yzis8+2rq S5rEEwjgkjVyhKjG9kswVWpIFbzWd3lEdaE07XnsJTJ1RU+JaHB/AcVJE4wUcpNBzfQQ pBrcaA9rRS1amQjRUeWK4Y1U6tNujyjxrY2KccrIM1KNdiEfzH/prtPgH1qKjdn1Rqf2 uDTFO1mC0XGduCL2yQZ1yIsXUOUU4ZNFxpJEjb3yjkvy5axCGiZ/k9pRhdh7caoQgYKp K4d37IzdvdDJTD5eSojZ3veBAC/8eyOHR6I/nLltOtUetj5LCFOd4akf3N0x94Nl2GBi 1yCQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1698770823; x=1699375623; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=sydEARXNxIabskzKfHEqXiJg09bOi9Kce9Z0+gD5iRs=; b=elmRy4LsBxZe/X2wsLalrwKjqo8sj+vRwcxyfV3OA25L12Cw1EJLi4lxeDkHEd5F6B sbNjaso5LpWNW3+HxeRsPX4jLKSXcCGWj8yEvUvzQqV2O48j18DCYYfRWGI9upR+6PKz iogmpFTzY+UTbYkwmaPTKPauAABFpAfqTNb8FQ8qjnCSPn3Uey2c1aMizfqOs6DPEbWC mOkHnPRsxfkcefxqmeB7QN8l1emBSSeHxU0eKozsSvWpzzZy33bFESmuVGje8mLaC0e8 79MOwhRcm9Ih6WJpp0ldqM5iGYn/KlUisSU0cXDsREvFQLjacivvoIfYSNK+gfsUR1Mg SRtQ==
X-Gm-Message-State: AOJu0YzYSpVC3Riee7q8HP7CpkUFSdPhKNblFyiFc+sn99bp5LR5o9pa 523E/0vJ97JTkhxMdT4WxCdl3hxi2jndFoa+eBZb0gVitSA5KRUHN8aPqA==
X-Google-Smtp-Source: AGHT+IFSrpUz8BOCRQgIdK9sCOnWPUTvMOSlPrgst8A/0/8Ja1clcRDPcosgQ97Cnscjb3brYCc0TpFNywm6EhEtMlE=
X-Received: by 2002:a17:90a:1997:b0:280:6d53:f5d2 with SMTP id 23-20020a17090a199700b002806d53f5d2mr4768222pji.11.1698770823442; Tue, 31 Oct 2023 09:47:03 -0700 (PDT)
MIME-Version: 1.0
References: <CAFU7BARQLAS+w7kKUPSBgFacc5GXNAaJ97qkJg9VyjbhoNibcQ@mail.gmail.com> <CAMMESsysV1Oc3JyU058GRbUFfs18WEz16GKLcZX-waFo+hoN0w@mail.gmail.com> <BL0PR05MB5316B366B7B4A3C1D4AF4686AEA3A@BL0PR05MB5316.namprd05.prod.outlook.com> <CAMMESsxQj9hRS2HxHWK67EkR-=s-3Qor88+qGRzYFMnrJOR_qQ@mail.gmail.com> <BL0PR05MB53166A455E68541ED2586EC5AEA2A@BL0PR05MB5316.namprd05.prod.outlook.com> <CACMsEX-juiW5uOHze3j4zRnrG_Djn4S99hB=TJi3OgEiQz6QxA@mail.gmail.com> <CAO42Z2yR9Y_MszPuia3eS6zv2WJFiqb07juatp99bhbDO0kbxA@mail.gmail.com> <CAO42Z2y8e46hv0Cf49gHJnEimjrOg1dOwa2x36Zu77vBWzvdKw@mail.gmail.com> <f2150c48-480b-45a7-98a6-b2893ead8065@joelhalpern.com> <CALx6S37_2SAfOPsyKcXa6qKinAw_8tf7W_d5i8G86R2QEdck6Q@mail.gmail.com> <108bd733-5c66-4fb5-8224-fb2a1898ecc9@joelhalpern.com> <CALx6S37eJDJ1HpWrQOasOGqnVZyEDQYkmQxxjfpcHhykSUA1Bw@mail.gmail.com> <e45743ed-67bf-45a7-a60c-9dba2bb5de32@joelhalpern.com> <CALx6S374WuKBHodNCuPpZLe0g3BRLWsE9dANLDvidZPUca5C+w@mail.gmail.com> <744cd045-ee48-4829-bc6c-b36467c2acfd@joelhalpern.com>
In-Reply-To: <744cd045-ee48-4829-bc6c-b36467c2acfd@joelhalpern.com>
From: Tom Herbert <tom@herbertland.com>
Date: Tue, 31 Oct 2023 09:46:51 -0700
Message-ID: <CALx6S37SHG4Ut+8gsZW1UE-ykKpkj-wA8W1uiQEqFmdoqrkWAQ@mail.gmail.com>
To: Joel Halpern <jmh@joelhalpern.com>
Cc: 6man <ipv6@ietf.org>, draft-bonica-6man-comp-rtg-hdr.authors@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/fwtZLUrSAAlxM8FKeFwKZAWbKTI>
Subject: [IPv6] Routing Headers and limited domains (Was Re: Adoption call for draft-bonica-6man-comp-rtg-hdr
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Oct 2023 16:47:08 -0000

On Mon, Oct 30, 2023 at 6:33 PM Joel Halpern <jmh@joelhalpern.com> wrote:
>
> Maybe I am dense, but I have trouble seeing how a node could have enough information to compose a useful CRH source route, and not have enough information to know where the relevant decapsulator is.  The most obvious candidate would be simply to decapsulate at the last entry in the source route.  it doesn't matter if that is (as is likely) not actually the egress.

Hi Joel,

Yes, that would probably be the most obvious candidate, and it's also
a candidate for removing the RH. Once segments left is zero, the
routing header is not operationally relevant to any downstream nodes.

But even if that were the obvious choice for an encapsulation, I still
don't see how the source could know when to encapsulate and when not
to. A possible solution might be to tunnel all packets, but then
that's a lot of per packet overhead especially if most packets never
actually leave the limited domain.

More generally, constraining protocols like routing header to a
limited domain is required and it's clear that *something* needs to
happen at edge routers of the limited domain.
draft-raviolli-intarea-trusted-domain-srv6 has a good description of
the problem. That's focused on SR, but other routing headers like CRH,
and other use cases of extension headers also have similar
requirements-- I would hope that there might be a general solution to
limiting protocol to limited domains (IMO, a new Ethertype like
described in that draft isn't the best solution and is likely to
create a set of new problems)

Another variant is the possibility in segment routing that segment
routing could be applied to a packet without a routing header. I
assume the rationale for this is to avoid the overhead of the routing
header, and presumably this could be done for CRH. IMO, this is going
to be more problematic than removing routing headers. As you pointed
out, if we remove a RH then we no longer would know how the packet got
to where it is in the network; but, if there's no routing header to
begin with then not only would we not know how the packet got to the
point it was sampled, but we wouldn't know what the final destination
is either. This is true over the whole path even in the limited domain
and would make debugging very difficult. There are other problems as
well, for instance it might be tempting to allow transport layer
checksum like TCP and UDP to be incorrect while the packet is inflight
(IMO that will also make debugging difficult, it would be better to
maintain a correct checksum on the wire when the destination address
changes similar to how NAT does it). There's also the problem of
filtering these packets at the edge since they don't have a routing
header, I suppose this is one of the motivations to define a new
Ethertype for segment routing but as I mentioned I believe Ethertype
entails a new set of problems.

>
> I also admit that I wonder how common this case is, since the reverse direction traffic either ends up without a soruce route, or ends up with a source route applied by an unknown entity?    Again, if the purpose of the source rotue is to apply policy inside the domain, then it is likely that the specifying entity can pick a suitable decapsualtion point.  Maybe not a symmetric one, but symmetry is a different issue.

Wouldn't that aslo be true of traffic that never leaves the limited
domain? I don't believe there's any requirement for routing headers to
be symmetric and that probably doesn't make a lot of sense anyway with
something like SFC which may be asymmetric anyway. I suppose a
destination might just try to reverse the segment list to send on the
return path, but that may or may not be the right thing to do. FAST
has a concept of reflecting the HBH Option, but I don't see how
reflection could work with routing headers.

Tom

>
> Yours,
>
> Joel
>
> On 10/30/2023 7:54 PM, Tom Herbert wrote:
>
>
>
>
> On Mon, Oct 30, 2023, 4:34 PM Joel Halpern <jmh@joelhalpern.com> wrote:
>>
>> Interesting question about what is supposed to happen with a packet originating in the limited domain, using the CRH to traverse the limited domain, but intending to be sent otuside of the domain after the CRH is exhausted.  I tend to assume that would be done with encapsulation to make sur ethe CRH has to be removed at the domain edge, rather than hoping the edge device gets it right.
>
>
> Joel,
>
> If encapsulation is used then a host would need to know for which destinations it needs to encapsulate, and if it does encapsulate then it needs to the destination address of the encapsulation. It's not obvious that a host would readily know either of those pieces of information.
>
> As for hoping the edge device gets things right, the draft already mentions requirements that edge devices can drop packets with CRH at the egress, so there are already assumptions that the network edge is doing the right thing. Such assumptions are probably going to exist for any protocol that is intended to be restricted to a limited domain.
>
>> However, I grant that the draft does not say that.  It's security discussion is focussed in the case of an external packet entering the limited domain.  While that is more important, the case you describe should also be properly covered.
>
>
> Yes. I think the draft should discuss the handling of packets at the edge with a CRH and segments left == 0. IMO, dropping is too austere as required tunneling would be. Just forwarding could be a security liability. Hence, removing the RH seems reasonable to me.
>
> Anyway, I support adoption of this draft.
>
> Tom
>
>> Yours,
>>
>> Joel
>>
>> On 10/30/2023 7:29 PM, Tom Herbert wrote:
>>
>>
>>
>> On Mon, Oct 30, 2023, 4:14 PM Joel Halpern <jmh@joelhalpern.com> wrote:
>>>
>>> As I expect you knew when you wrote that, I at least do not think that
>>> is a good way to achieve the security properties.   On the one hand, if
>>> the CRH is applied along with an encapsulating IPv6 header, then it will
>>> be removed along with the IPv6 header according to the current specs.
>>> So the final destination of the tunnel takes care of it.  (If the packet
>>> is initially sent and finally received inside the limited domain, then
>>> there is no issue to even discuss.)
>>
>>
>> Joel,
>>
>> Sure, if the packet is tunneled.
>>
>>>
>>> On the other hand, removing the CRH when it is exhausted but still
>>> within the domain has the effect of leaving a packet in an odd place in
>>> the domain with no trace of how it got there.  This does not seem an
>>> operationally desirable behavior.
>>
>>
>> I suggest only to remove it when the packet exits the domain (for case where packet is not tunneled).
>>
>>>
>>> In general, I think removing IPv6 header fields along the way
>>> cintroduces more problems than it solves.  And even your arguments for
>>> doing so do not seem to apply to this case.
>>
>>
>> If packets are always tunneled then it might not be applicable, but I don't believe tunneling should be required (and if it is, people will certainly be complaining about packet overhead for tunnels)
>>
>> Tom
>>
>>>
>>> Yours,
>>>
>>> Joel
>>>
>>> On 10/30/2023 6:39 PM, Tom Herbert wrote:
>>> > On Mon, Oct 30, 2023 at 3:06 PM Joel Halpern <jmh@joelhalpern.com> wrote:
>>> >> I think it is a little subtler than that.  If the operator's rotuer requires that the incoming DA is a ULA before it will look for a CRH, then I believe you are correct.  But there is no such restriction in the document, even if the operator requires that all CRH-FIB entries have ULA IPv6 addresses in the mapping table.
>>> >>
>>> >> There are a number of ways to strengthen the filtering beyond what is specified currently in the draft.  I presume it would be up to the working group to decide which, if any, of the possible enhancements we want to require.  The draft as currently written says that part of the experiment is to determine if the specified filtering is sufficient.  We can of coruse change that once we adopt the draft if we conclude we should.
>>> > One possible enhancement is removing the routing header from packets
>>> > at an egress router when segments left == 0
>>> > (draft-herbert-eh-inflight-removal-01). This prevents leaking the
>>> > segment list beyond the domain.
>>> >
>>> > Tom
>>> >
>>> >> Yours,
>>> >>
>>> >> Joel
>>> >>
>>> >> On 10/30/2023 6:01 PM, Mark Smith wrote:
>>> >>
>>> >> *RFC 4193
>>> >>
>>> >> On Tue, 31 Oct 2023, 08:41 Mark Smith, <markzzzsmith@gmail.com> wrote:
>>> >>>
>>> >>>
>>> >>> On Tue, 31 Oct 2023, 05:55 Nick Buraglio, <buraglio@forwardingplane.net> wrote:
>>> >>>> I support adoption of this draft and experiment. I would also be
>>> >>>> interested in seeing any code that comes out of it, especially
>>> >>>> something I can run to poke at the filtering tooling, which I think is
>>> >>>> the elephant in the room.
>>> >>>
>>> >>>
>>> >>> It's a baby elephant if a ULA prefix is used for this function.
>>> >>>
>>> >>> May leak into the Internet via a default route, however upsteam should drop it with a BCP38 filter, if you don't drop ULA source and destination packets yourself, as you should be per RFC 4194 operational advice.
>>> >>>
>>> >>> You can't receive any packets with the CRH in them from the Internet if your CRH packets can only have ULA addresses.
>>> >>>
>>> >>>
>>> >>>> nb
>>> >>>>
>>> >>>> On Sun, Oct 29, 2023 at 1:09 PM Ron Bonica
>>> >>>> <rbonica=40juniper.net@dmarc.ietf.org> wrote:
>>> >>>>> Hi Alvaro,
>>> >>>>>
>>> >>>>> Thanks. I will clean up both issues in the next revision.
>>> >>>>>
>>> >>>>>                                                 Ron
>>> >>>>>
>>> >>>>>
>>> >>>>>
>>> >>>>> Juniper Business Use Only
>>> >>>>> -----Original Message-----
>>> >>>>> From: Alvaro Retana <aretana.ietf@gmail.com>
>>> >>>>> Sent: Sunday, October 29, 2023 8:43 AM
>>> >>>>> To: 6man <ipv6@ietf.org>; Ron Bonica <rbonica@juniper.net>; Jen Linkova <furry13@gmail.com>
>>> >>>>> Cc: draft-bonica-6man-comp-rtg-hdr.authors@ietf.org
>>> >>>>> Subject: RE: [IPv6] Adoption call for draft-bonica-6man-comp-rtg-hdr
>>> >>>>>
>>> >>>>> [External Email. Be cautious of content]
>>> >>>>>
>>> >>>>>
>>> >>>>> On October 28, 2023 at 7:07:47 PM, Ron Bonica wrote:
>>> >>>>>
>>> >>>>> Ron:
>>> >>>>>
>>> >>>>> Hi!
>>> >>>>>
>>> >>>>>
>>> >>>>> ...
>>> >>>>>>> (1) Limited domain -- what is it? The Introduction says that the CRH
>>> >>>>>>> "Is designed to operate within a limited domain. (See Section 9)." I
>>> >>>>>>> expected Section 9 to include a definition or discussion of "limited
>>> >>>>>>> domain", but one is not present.
>>> >>>>>> [RB] The best definition of a “limited domain” is in RFC 8799. Sadly,
>>> >>>>>> RFC
>>> >>>>>> 8799 is not an IETF consensus document. I can add a reference to it if
>>> >>>>>> you like.
>>> >>>>> The main observation is that the text pointed to Section 9, but there's nothing there about it.  FWIW, I'm ok with you either including a reference to something else, adding text in Section 9, or taking the pointer out.
>>> >>>>>
>>> >>>>>
>>> >>>>>
>>> >>>>> ...
>>> >>>>>>> (2) Incoming Filtering -- from the Security Considerations section:
>>> >>>>> ...
>>> >>>>>>> "MUST NOT accept" and "SHOULD discard" are in normative
>>> >>>>>>> contradiction: it is either required to discard packets containing a
>>> >>>>>>> CRH or it is just recommended.  I can't imagine the cases when it
>>> >>>>>>> would be ok to not discard them.
>>> >>>>>> [RB] The router MUST NOT accept the packet. The Security Consideration
>>> >>>>>> section offers several methods for filtering the packet. The router
>>> >>>>>> SHOULD use the first method, because it causes the least collateral
>>> >>>>>> damage. However, if it can’t do that, it MAY do the second and so forth.
>>> >>>>> Ahh, I see what you mean -- I clearly didn't read the text that way.
>>> >>>>>
>>> >>>>> The MUST NOT, SHOULD or MAY construct is not clear because it gives the impression that the SHOULD clause can be bypassed (with good clause), and the MAY clause is optional -- which could result in no filtering. :-(
>>> >>>>>
>>> >>>>> Suggestion>
>>> >>>>>
>>> >>>>>    SHOULD NOT accept packets received from outside their domain if a
>>> >>>>>    CRH is present and the DA is inside the domain.
>>> >>>>>
>>> >>>>>    The border MAY not filter an incoming packet in which the CRH SL
>>> >>>>>    field has a value of 0.
>>> >>>>>
>>> >>>>>
>>> >>>>> IOW, the only exception is if SL=0.
>>> >>>>>
>>> >>>>> I trust you'll make the logic clear.
>>> >>>>>
>>> >>>>>
>>> >>>>>
>>> >>>>>>> (3) Outgoing Filtering -- also from the Security Considerations section:
>>> >>>>> ...
>>> >>>>>>> I'm not sure why a border router would send a packets with an
>>> >>>>>>> internal DA through an external interface (under normal
>>> >>>>>>> circumstances). I also don't understand why the action is optional. Please explain.
>>> >>>>>> [RB] This packet would be from an external attacker. Under normal
>>> >>>>>> circumstances, it would not exist.
>>> >>>>>>
>>> >>>>>> See above for MUST v SHOULD v MAY
>>> >>>>> Yeah, I misread the text.
>>> >>>>>
>>> >>>>> Should there be any outgoing filtering considerations?
>>> >>>>>
>>> >>>>>
>>> >>>>> Thanks!
>>> >>>>>
>>> >>>>> Alvaro.
>>> >>>>>
>>> >>>>> --------------------------------------------------------------------
>>> >>>>> IETF IPv6 working group mailing list
>>> >>>>> ipv6@ietf.org
>>> >>>>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>>> >>>>> --------------------------------------------------------------------
>>> >>>> --------------------------------------------------------------------
>>> >>>> IETF IPv6 working group mailing list
>>> >>>> ipv6@ietf.org
>>> >>>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>>> >>>> --------------------------------------------------------------------
>>> >>
>>> >> --------------------------------------------------------------------
>>> >> IETF IPv6 working group mailing list
>>> >> ipv6@ietf.org
>>> >> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>>> >> --------------------------------------------------------------------
>>> >>
>>> >> --------------------------------------------------------------------
>>> >> IETF IPv6 working group mailing list
>>> >> ipv6@ietf.org
>>> >> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>>> >> --------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email