IETF Logo Mail Archive

Re: Questions regarding the security mechanisms//RE: CRH and RH0

John Scudder <jgs@juniper.net> Fri, 22 May 2020 17:12 UTC

Return-Path: <jgs@juniper.net>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5DA6E3A0C32 for <ipv6@ietfa.amsl.com>; Fri, 22 May 2020 10:12:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net header.b=GlkjYZPY; dkim=pass (1024-bit key) header.d=juniper.net header.b=GGxMQ7oK
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2-E5_Ms3GRNM for <ipv6@ietfa.amsl.com>; Fri, 22 May 2020 10:12:36 -0700 (PDT)
Received: from mx0b-00273201.pphosted.com (mx0b-00273201.pphosted.com [67.231.152.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6D3473A0C21 for <6man@ietf.org>; Fri, 22 May 2020 10:12:36 -0700 (PDT)
Received: from pps.filterd (m0108161.ppops.net [127.0.0.1]) by mx0b-00273201.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 04MH85tu028314; Fri, 22 May 2020 10:12:24 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=PPS1017; bh=yNUA55Tcd0M7RfHmEQJebiCwI4ObCv6z4MasOI5m42k=; b=GlkjYZPYtGMZu4KF8QOIqwtjprjVlwwTY5hzrYiiLp2L9fmJBWDrSD9LAQ35ngrctFCb 8zfKkm3GyNxEyWazyoaxFV73daKXERza/9eU5BEEcFofZ4hgBObpua7JlBZX0y1o3K1T bnWnpGUcR/i6gbrZt8XmHlsvzCeIGQ+TjiBetxlvs+po02inGiUoS6Of79VKeqnKjQ1D JPW7rBWH8RQYB4nJfRsg4/bPCv7tQ4GV/SFEdZ1osQB/V8pcNwH4nRwfeQKRTEZAlUlp qCb7uwfKNAAaDr4IWsDlyExhGFBiZSt3dpK5o3CuhsYoOv8CXztTpLQ55TkAAgurQ+FA TA==
Received: from nam12-mw2-obe.outbound.protection.outlook.com (mail-mw2nam12lp2046.outbound.protection.outlook.com [104.47.66.46]) by mx0b-00273201.pphosted.com with ESMTP id 316j9s02fa-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 22 May 2020 10:12:24 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=QrY88O6+FWIJnEmC0D4pPO0FRmQBVz8p18JKbRihGc/4wclV6lx194zysUG+H6B5f+FSiknHW/xQCpGq67WjULVTrwzm+sFWNkMqD4dQUUgg5aCi8moy30bLh07b/F956W8gpml2FvZcBnm+y0PtMi/L0cNcnIFFKkxpSPU1+lmiAtBj7j/mr2af4iG6kKh8Wgnn5YcgemrF+pDpeihajo5qOWC5wOAtfOJIt4onBcgrpRDw1XomzIGhbr+Ip2HJGARTBOtiTJudtms8vTN620jnTS2N25uYwa1QrRdg+wOKT9K1zUjwqF2B1zyJaVyUle7YtW9OPrXoqnoYIKJwHA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=yNUA55Tcd0M7RfHmEQJebiCwI4ObCv6z4MasOI5m42k=; b=iUAnQuviB+T2JhIygkQebka4hzK3yDGELKC0tlhYCftpp0AArmcWH67E16HuV+kqv43COFTstb+F5vu4yd4WRHpR0l8pNe4pRzvMlMbhAXnuVv/jk1stug5HfWECUXi4o+OhcZ0ma507Ca67MiSM2y8GfsW5pIbsKLG8+MuGWKQIN1+6KwdPGsULOK+qC2hXKMx+Y7slqn9ERA8TKh1r16NfGoWtZWA2EsjI4wrvWOFsm80ls7nqa2yWcNTMQIOnrv4UT3n0G7tQoYPrBNMZSPoOn/0cdzRBTU1uEn/GtjmK2MTgy9sNIIwBWO3r/iKhzGJe/F/Kt615/5DnpeHt2Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=juniper.net; dmarc=pass action=none header.from=juniper.net; dkim=pass header.d=juniper.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=yNUA55Tcd0M7RfHmEQJebiCwI4ObCv6z4MasOI5m42k=; b=GGxMQ7oKNh3wAxhOGzgqf8c4XCF29cYxJDzuO8W+R/w6OEnFHWiRJfq+SknNyTtS3B/VYJ5MFvADs8Lc77F9uGvGR2BlhSFks3lqwTFSPHka3E8hQYAjkKA11K8qEOu8Fd+YZ7OUtnmnTq+ZzZmCxr2TeMBrz5d2Lw8ITqzLi4k=
Received: from BYAPR05MB5078.namprd05.prod.outlook.com (2603:10b6:a03:9d::32) by BYAPR05MB5127.namprd05.prod.outlook.com (2603:10b6:a03:96::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3045.8; Fri, 22 May 2020 17:12:22 +0000
Received: from BYAPR05MB5078.namprd05.prod.outlook.com ([fe80::3440:a7bc:2ba1:9ac0]) by BYAPR05MB5078.namprd05.prod.outlook.com ([fe80::3440:a7bc:2ba1:9ac0%5]) with mapi id 15.20.3021.019; Fri, 22 May 2020 17:12:22 +0000
From: John Scudder <jgs@juniper.net>
To: Robert Raszuk <robert@raszuk.net>
CC: "Xiejingrong (Jingrong)" <xiejingrong@huawei.com>, Ron Bonica <rbonica@juniper.net>, 6man <6man@ietf.org>, Bob Hinden <bob.hinden@gmail.com>
Subject: Re: Questions regarding the security mechanisms//RE: CRH and RH0
Thread-Topic: Questions regarding the security mechanisms//RE: CRH and RH0
Thread-Index: AdYqA0uTBELEk8r7RxOFOlq1QjWhwwAniBKgABOLx4AAA6/ZAAATfhkAABqdDHIBJoB9AAAAWAzYAABc2wAAAiKTAA==
Date: Fri, 22 May 2020 17:12:22 +0000
Message-ID: <5D82212D-463A-4CB4-8B2D-C4D26E92F245@juniper.net>
References: <23488ea0d4eb474c9d7155086f940dae@huawei.com> <006c01d62aa1$8c195520$a44bff60$@com> <DM6PR05MB634863122645FD4981B97F71AEBD0@DM6PR05MB6348.namprd05.prod.outlook.com> <CALx6S35thGuTgTmCFozU=3MULW8V95OwA5GdqQ7OGrA-agR7Hw@mail.gmail.com> <891ccad03b484c7386ab527d89143f8c@huawei.com> <87E86EE4-7D6C-49A3-A965-317C3F95A346@juniper.net> <ab0b9d67d294464fb886b9cb5e7639a5@huawei.com> <592214BF-5340-40A6-86C8-430C87AC0171@juniper.net> <CAOj+MMFvrCgt0BVEga4CRE6EK6CPwzUzsYCtAKGEXZ5pLrZXtg@mail.gmail.com>
In-Reply-To: <CAOj+MMFvrCgt0BVEga4CRE6EK6CPwzUzsYCtAKGEXZ5pLrZXtg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3608.80.23.2.2)
authentication-results: raszuk.net; dkim=none (message not signed) header.d=none;raszuk.net; dmarc=none action=none header.from=juniper.net;
x-originating-ip: [66.129.241.14]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 2763f64d-7edb-4b84-7fc6-08d7fe734a8b
x-ms-traffictypediagnostic: BYAPR05MB5127:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <BYAPR05MB512736913C0901EE985DC432AAB40@BYAPR05MB5127.namprd05.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:7691;
x-forefront-prvs: 04111BAC64
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: aU1FKCpGFy/1vD48l6ceGTL88jisaFFU0GDzalHDvj0RgREpFJESLUaqHPwCMvg6r/eaei8zrC+v4e1jPIBRGroRE12jw/V8u+2rU4rB3OvmkfActMhUsailATDMAKit/pliqDnVkCHSo2pnPJIKvhhJA+/ZkGo4ZtWNe9AXXSDSnZSMTQ6M6hz9qitDgLboDBM3ds2Ugd17Kkwh5LUOHO/+jiLgyG2BGBI99teGnEsTLdodptK83YvYdk6PrZv6hcYvviPd/C8DbmQzKA/lCgcb781HYG+Wtx1m8QhDiYFQxLvjknrjFhZJ6zHi5bMY2LcOOtERRsZtP400s/fd4Q==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BYAPR05MB5078.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(39860400002)(366004)(136003)(396003)(346002)(376002)(66946007)(316002)(76116006)(15650500001)(91956017)(2616005)(36756003)(66446008)(66476007)(66556008)(86362001)(2906002)(6916009)(64756008)(478600001)(33656002)(186003)(6506007)(4326008)(5660300002)(26005)(53546011)(71200400001)(6512007)(54906003)(6486002)(8936002)(8676002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: ne/Lg+iqXJ6bltb8joTcAMfrFYuP1cRLyfSxOAZtC43PiccKUN7LRpTdYf69/aiiSh4K5mvGsB0cqoZMoUXFX8cnets1rcaUQGzjH+T1SygpZapnuZZCxEfo7//pyjfEfmHudkHv4L4Db1A11nmsG0bYQtCMjvst1uL0c+Sil4RNLL8ZXZyjalugYWpL+jAuLF9oEyzu4ZGS+nzYXjuT51ZWoBz//BokBZaIe+qON3l72tPIySNYKNzLF8xps1i2FJOjwWKu3q7p9jvFQxj16c28NEHtyZ0vhxmo2Y0dpm5tRMRd/2SXOpWH0QNZpRzmycJZNjhveaRtYCpTcYxtT5KeOuJcEWYKTAUwuXotk3gGOmw0H24Le8Rnm9mHIQstRZnOta4Wnsw83uB0Rzpp67YWsQzO1LUm1xxhIqVa5Suwgklx1bs3NxkZpL6sraYUIn6gJXihq+SpgM2qE1yWzauizFuCJm/A6r2YJ73qKf4=
Content-Type: multipart/alternative; boundary="_000_5D82212D463A4CB48B2DC4D26E92F245junipernet_"
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: 2763f64d-7edb-4b84-7fc6-08d7fe734a8b
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 May 2020 17:12:22.0295 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: x2iGUG/08U6aX5karQDUQE93Cki4LM8Su1cHDDOrlo7VFQ5XYtyn7XrBA0U5OUnW
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR05MB5127
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.216, 18.0.676 definitions=2020-05-22_05:2020-05-22, 2020-05-22 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 impostorscore=0 mlxscore=0 spamscore=0 lowpriorityscore=0 priorityscore=1501 mlxlogscore=424 bulkscore=0 clxscore=1015 malwarescore=0 suspectscore=0 phishscore=0 adultscore=0 cotscore=-2147483648 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2004280000 definitions=main-2005220137
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/hND2TirZiBnCIJhLKC9qq9I5F00>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 May 2020 17:12:38 -0000

Hi Robert,

Your comments have no relevance to the conversation I’m having with Jingrong. You’ve completely misunderstood, we are talking about security.

—John

On May 22, 2020, at 12:11 PM, Robert Raszuk <robert@raszuk.net<mailto:robert@raszuk.net>> wrote:

Hi John,

I am afraid any new technology IETF adopts to work on should support a basic minimum of network functionality.

And while I know some people still depend on IGP or BGP convergence in their networks - new designs are more and more based on local protection (node or link).

Therefore it should be in the interest of the authors of the new proposal to describe how local protection works with their idea. Not the other way around.

Unless you are questioning the need for local protection all together and thinking that seconds or minutes of outage is all ok. (Which I do sincerely hope you do not).

Many thx,
R.


On Fri, May 22, 2020 at 6:01 PM John Scudder <jgs=40juniper.net@dmarc.ietf.org<mailto:40juniper.net@dmarc.ietf.org>> wrote:
I’m not sure if it’s worth pursuing this much farther considering it’s not directly applicable to CRH as such. However:

On May 22, 2020, at 11:51 AM, Xiejingrong (Jingrong) <xiejingrong@huawei.com<mailto:xiejingrong@huawei.com>> wrote:
>
> [XJR] The "complemented per-node protection " is very useful for a layered security mode.

I might be convinced if you have reasons for this that address the analysis I provided in my own message. However, a bald statement that it’s “very useful” without further support doesn’t seem too helpful.

Regards,

—John

v2.23.0 | Report a Bug | By Email