Re: I-D Action: draft-vyncke-6man-segment-routing-security-00.txt
"Eric Vyncke (evyncke)" <evyncke@cisco.com> Fri, 11 July 2014 07:54 UTC
Return-Path: <evyncke@cisco.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D405E1B2A9E for <ipv6@ietfa.amsl.com>; Fri, 11 Jul 2014 00:54:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.152
X-Spam-Level:
X-Spam-Status: No, score=-15.152 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jeojv_otaGNw for <ipv6@ietfa.amsl.com>; Fri, 11 Jul 2014 00:54:31 -0700 (PDT)
Received: from alln-iport-1.cisco.com (alln-iport-1.cisco.com [173.37.142.88]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CFEB31A02E7 for <ipv6@ietf.org>; Fri, 11 Jul 2014 00:54:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2363; q=dns/txt; s=iport; t=1405065310; x=1406274910; h=from:to:subject:date:message-id:references:in-reply-to: content-id:content-transfer-encoding:mime-version; bh=kXxHUAyg1pK44XYnl09A0OFR5KXIglgvAgjb8LHP8t4=; b=I3nOpCGWSy49Kb8hjIni038BkwDOGaEKd7sqv7b8l+agj8G0VC61ByhE Yf/bDOuw+bJAtm/86W6tQSl6KVlgkpTNK6MRO+oVDipRk122xbKvCyRNa 9fMgylByH6H0S2x0CN8xsmnMWTJ3JurhMb4mzPXEl0sWNJiDq4zVGi1bl o=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AloFAOmXv1OtJV2U/2dsb2JhbABZgw5SWsBoCodCAYELFnWEBAEBBAEBAWsbAgEIRiEGCyUCBAESiC4DEQ2/PQ2HGBMEjRqCM4RDBYoejmeCAI4FhhaDRGyBRA
X-IronPort-AV: E=Sophos;i="5.01,642,1400025600"; d="scan'208";a="59954984"
Received: from rcdn-core-12.cisco.com ([173.37.93.148]) by alln-iport-1.cisco.com with ESMTP; 11 Jul 2014 07:55:09 +0000
Received: from xhc-aln-x05.cisco.com (xhc-aln-x05.cisco.com [173.36.12.79]) by rcdn-core-12.cisco.com (8.14.5/8.14.5) with ESMTP id s6B7sUlQ019374 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Fri, 11 Jul 2014 07:54:30 GMT
Received: from xmb-aln-x02.cisco.com ([169.254.5.120]) by xhc-aln-x05.cisco.com ([173.36.12.79]) with mapi id 14.03.0123.003; Fri, 11 Jul 2014 02:54:29 -0500
From: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>, 6man <ipv6@ietf.org>
Subject: Re: I-D Action: draft-vyncke-6man-segment-routing-security-00.txt
Thread-Topic: I-D Action: draft-vyncke-6man-segment-routing-security-00.txt
Thread-Index: AQHPnLiIOom6lJ1CEEmPvO1GYIePJZua9pSA
Date: Fri, 11 Jul 2014 07:54:28 +0000
Message-ID: <CFE56204.20B2F%evyncke@cisco.com>
References: <20140703134709.19452.78442.idtracker@ietfa.amsl.com> <53BF5A67.7050401@gmail.com>
In-Reply-To: <53BF5A67.7050401@gmail.com>
Accept-Language: fr-FR, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.4.3.140616
x-originating-ip: [10.55.185.72]
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <3F5DBCCA0BF4E244A595D4525305301B@emea.cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/ipv6/fyfQyBYAyPCAe_SUF1ozdIlPPpA
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Jul 2014 07:54:33 -0000
Brian Thanks for your review. You are right extension headers are _usually_ inserted by the source. But, this is not _always_ the case, for instance, we can argue that ESP/AH in tunnel mode can be added by a security gateway. So, inserting a SRH is not that exceptional. Of course, special care must be taken for MTU but in the use case this would not be a problem as SRH is used mainly within a single operator, so, a prerequisite is to have a larger MTU on all internal links. Note: I just quickly read again RFC 2460, and, I did not find any place where it is specified that extension header must be inserted only by the source. If my reading is wrong, then this is another reason to propose this I-D to 6MAN ;-) -éric On 11/07/14 05:30, "Brian E Carpenter" <brian.e.carpenter@gmail.com> wrote: >Hi, > >This draft says: > >> The SRH is simply another version of the routing header as described >> in [RFC2460] and is: >> >> o inserted when entering the segment routing domain which could be >> done by a node or by a router; > >There is no provision for routers to insert headers in an IPv6 packet, >because this changes the packet size (and the payload length) and >therefore breaks PMTU mechanisms. Only the host that originates a packet >can insert headers. > >It seems that draft-previdi-6man-segment-routing-header-01 has the >same problem. It says: > >> When creating the SRH (either at ingress node or in the SDN >> controller) the following is done: >> >> Next Header and Hdr Ext Len fields are set according to [RFC2460]. >> >> Routing Type field is set as TBD (SRH). >> >> The DA of the packet is set with the address of the FIRST segment >> of the path. > >(etc.) > >These are operations that can only be done by the host that creates >the IPv6 packet, which is also the only place that a fragment header >can be included if needed. As I understand it, the "ingress node" is >a router, not the originating host. So this seems to be broken. > > Brian > >-------------------------------------------------------------------- >IETF IPv6 working group mailing list >ipv6@ietf.org >Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 >--------------------------------------------------------------------
- Re: I-D Action: draft-vyncke-6man-segment-routing… Brian E Carpenter
- Re: I-D Action: draft-vyncke-6man-segment-routing… Eric Vyncke (evyncke)
- Re: I-D Action: draft-vyncke-6man-segment-routing… Stefano Previdi (sprevidi)
- Re: I-D Action: draft-vyncke-6man-segment-routing… Brian E Carpenter