IETF Logo Mail Archive

Re: Segment Routing Drafts

Brian E Carpenter <brian.e.carpenter@gmail.com> Sat, 02 March 2019 00:55 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A0FD131028 for <ipv6@ietfa.amsl.com>; Fri, 1 Mar 2019 16:55:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qZ3uKNn9gVVZ for <ipv6@ietfa.amsl.com>; Fri, 1 Mar 2019 16:55:46 -0800 (PST)
Received: from mail-pg1-x543.google.com (mail-pg1-x543.google.com [IPv6:2607:f8b0:4864:20::543]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 94534130EB1 for <ipv6@ietf.org>; Fri, 1 Mar 2019 16:55:46 -0800 (PST)
Received: by mail-pg1-x543.google.com with SMTP id l11so12210915pgq.10 for <ipv6@ietf.org>; Fri, 01 Mar 2019 16:55:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=R1y+g6TN2YeY9X8vTESjtoC7QyUPq2BssYVib2GwinI=; b=lj67iB4N4aq5x6uqvWiy1Mg9Yn5UZSdIfgmiGj341Pf3HI23NDd9H2K8e800AaE+8w f1Q/YP6zHRzeGXJIgTRTaCkvG7eyv2oUXCb8mzgyhOIoc3Tl0lH/v9qbR17VQY7f769i cYkl2OFbytv3d8EGRqEVajMPCHDCq/8Vd89FGC0/478Fxknb9kbT3Wp1ggNv37RHubJJ fr52CRaH0SOFhgoxmFKSCRnkP67XQRc4By8yUQwjekJzISXQMfLQQ+TK5V36Vz2Jbb9e ZezHxuxADghu9pKFG3t44MEOg/sSCb+Y5D8o5jJRKRotrBytgsGjAm7RxJBj+SNENH8Y d79A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=R1y+g6TN2YeY9X8vTESjtoC7QyUPq2BssYVib2GwinI=; b=cF4BYzcKnHBp5G41J9WUXx+1ewdRTreXvfIXT7b23pU4G0ysMRq4KQgfsmAs2x8KIe h4rY8l7CD6ZdhsXUufPFQHt8YJSCYFFb3lZ7+juUX0R7BtjwxwhPWjXeMZ7ybcW2LYZD jOsdmcQlYz/XfFPKl9K9+gmZ8GkqTCqT8EepJ/JtthQG/tFNJA8CncCm9n4eO/D/J3U7 iDizIcMfl0D++zGZtkLP4ZQAy4QUmFg6oP4w409EuXjuNCv+6Sfde4SDoUwSORyySGQY Zhpmqbli9uM0MA7KZfNQytlPuN30wgjmXxVdXHltiQkQrbbVJ6pHJarE7v37uEbEwtpP DWkA==
X-Gm-Message-State: APjAAAUiZCRTF7cs79VWKLEhjLjnFZyfTkuOnwTBTTRIC2CeugxDNpmT W4cMxsevE0AxlaH1WCqK4/D1yTON
X-Google-Smtp-Source: APXvYqwXHCLKcTqZPMiZWx9byLRLx44hBNyMCmM+xdzd4DxNl4e59u3tbped74ErGNFhogMEm2/1DA==
X-Received: by 2002:a63:68c9:: with SMTP id d192mr7835450pgc.264.1551488145615; Fri, 01 Mar 2019 16:55:45 -0800 (PST)
Received: from [192.168.178.30] ([118.148.79.176]) by smtp.gmail.com with ESMTPSA id j197sm38752101pgc.76.2019.03.01.16.55.42 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 01 Mar 2019 16:55:44 -0800 (PST)
Subject: Re: Segment Routing Drafts
To: Tom Herbert <tom@herbertland.com>
Cc: Fred Baker <fredbaker.ietf@gmail.com>, Ron Bonica <rbonica=40juniper.net@dmarc.ietf.org>, IPv6 List <ipv6@ietf.org>
References: <BYAPR05MB424560001F76E403A33B94E7AE750@BYAPR05MB4245.namprd05.prod.outlook.com> <341A6C5C-3670-4C8F-A8CA-C80182AC1F3C@gmail.com> <7dffddcd-a810-764e-3929-01d7b400c410@gmail.com> <CALx6S37K-SbZOdmeu1vviDk2paEuyT4QXioXHq+Ok8WXVkfFVQ@mail.gmail.com>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Message-ID: <f6df20e6-765a-2787-df78-0a18297f067f@gmail.com>
Date: Sat, 02 Mar 2019 13:55:41 +1300
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.5.1
MIME-Version: 1.0
In-Reply-To: <CALx6S37K-SbZOdmeu1vviDk2paEuyT4QXioXHq+Ok8WXVkfFVQ@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/hJidDROf0fwhp_XVH8dRBCHsK4E>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 02 Mar 2019 00:55:49 -0000

On 02-Mar-19 13:39, Tom Herbert wrote:
> On Fri, Mar 1, 2019 at 4:23 PM Brian E Carpenter
> <brian.e.carpenter@gmail.com> wrote:
>>
>> On 02-Mar-19 11:25, Fred Baker wrote:
>>>
>>>
>>>> On Feb 27, 2019, at 8:22 PM, Ron Bonica <rbonica=40juniper.net@dmarc.ietf.org> wrote:
>>>> - https://datatracker.ietf.org/doc/draft-bonica-6man-oam/
>>>
>>> I read this draft, and was immediately puzzled. The OAM option is useful if and only if it is implemented and configured, and (per the security considerations) is a reason the packet should not be permitted to enter aa subsequent network.
>>
>> The text is confusing. It says:
>>
>>    Network operators should block packets containing these extension
>>    headers at their boundary.
>>
>> I hope that that is meant to say:
>>
>>    Network operators should block packets containing the OAM option
>>    at their boundary.
>>
>> Because clearly it is way out of scope for this draft to address
>> firewall recommendations in general (which anyway are covered by
>> draft-ietf-opsec-ipv6-eh-filtering, currently "Waiting_for_AD_Go-Ahead").
>>
>>> As such, it is only useful on a small subset of the systems it encounters, and only in the originating network.
>>>
>>> Am I reading this correctly?
>>
>> Well, if it is intended as part of the segment routing specs,
>> that needs to be stated in the draft. If so, it presumably inherits
>> the property of segment routing that it only works within a Segment
>> Routing Domain (https://tools.ietf.org/html/rfc8402#page-6)
>> and the OAM option would be blocked at the domain boundary.
>>
> 
> Hi Brian,
> 
> I don't see how facility is specific to segment routing. It seems like
> a more general OAM service. That's also true of the VPN Context
> Information Option.

That's possible, but I'm going by Ron's cover note. It doesn't change
my comment or Fred's very much though: if there isn't an SR domain
boundary, the text clearly assume there is some sort of boundary
where packets might be dropped.
> 
>> Which is one of the motivations for draft-carpenter-limited-domains,
>> of course.
>>
> As opposed to relying on an external firewall that may or may not
> exist or being correctly configured to enforce a limited domain, I
> suggest that the source itself should be responsible to decide whether
> it's safe and feasible to use this option or any extension header to
> some destination. Note that if the extension header is causing
> problems, it's only the source that will be able to detect the problem
> and take action (e.g. only the source node would receive an ICMP error
> caused by an extension header).

Or it would simply disappear into black hole. But basically I agree,
the source (and the boundary node that might drop packets) needs to
know what it's doing. Exactly why the limited-domains draft has
these requirements:
 
>>    7.  Verify Peer.  A node must be able to verify whether another node
>>        is a member of the domain.
>> 
>>    8.  Verify Role.  A node must be able to learn the verified role of
>>        another node.  In particular, it must be possible for a node to
>>        find boundary nodes (interfacing to the Internet).

   Brian

v2.23.0 | Report a Bug | By Email