IETF Logo Mail Archive

Re: [IPv6] Routing Headers and limited domains (Was Re: Adoption call for draft-bonica-6man-comp-rtg-hdr

Justin Iurman <justin.iurman@uliege.be> Wed, 01 November 2023 20:04 UTC

Return-Path: <justin.iurman@uliege.be>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E5FBC17C522; Wed, 1 Nov 2023 13:04:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.405
X-Spam-Level:
X-Spam-Status: No, score=-4.405 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=uliege.be
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IJgLwkkS5AAW; Wed, 1 Nov 2023 13:04:39 -0700 (PDT)
Received: from serv108.segi.ulg.ac.be (serv108.segi.ulg.ac.be [139.165.32.111]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1738BC17C51F; Wed, 1 Nov 2023 13:04:38 -0700 (PDT)
Received: from [10.83.123.35] (unknown [38.142.2.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by serv108.segi.ulg.ac.be (Postfix) with ESMTPSA id D98F1200DF8B; Wed, 1 Nov 2023 21:04:34 +0100 (CET)
DKIM-Filter: OpenDKIM Filter v2.11.0 serv108.segi.ulg.ac.be D98F1200DF8B
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uliege.be; s=ulg20190529; t=1698869075; bh=8lmSi2/bEO32UHM8TDq+DRzumc83eurxM/be717QYcI=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=SrGU/jvWJjanUQUYXLtSsYu9PxuPwg6Dhrj9gOhW/0HfiO0wnI74X3SiU0WeyED/v 0r81hdZfxkH5K3fxYzERlhFayM9bl79hI2Kh/Yqa/s/uJj1aY/w8vyIKyGlEEuRm8x TXtfttAfe707YVEXPOPTgAY8wlTAIRPmxAdePTlRborfixaKBSyLxFDlLE8bJpVQH8 KCviNwxY559aurbQwc5+HLHJE2DY5BkOc/igzwZ2NoTeKbi6wuQ9CSjp/KaGArBhrG la4TPs6NEHiS+R7WvGkgfG9tjo81/ZwJ+O1l3gNUq5tdRVeLkSRP8XDAgWhBuMJk1+ BFO2WQyCKxb6g==
Message-ID: <e85b0feb-8d20-4a62-b074-90e070b8801c@uliege.be>
Date: Wed, 01 Nov 2023 13:04:32 -0700
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: Tom Herbert <tom=40herbertland.com@dmarc.ietf.org>, Tony Przygienda <tonysietf@gmail.com>
Cc: 6man <ipv6@ietf.org>, draft-bonica-6man-comp-rtg-hdr.authors@ietf.org
References: <CAFU7BARQLAS+w7kKUPSBgFacc5GXNAaJ97qkJg9VyjbhoNibcQ@mail.gmail.com> <CAO42Z2yR9Y_MszPuia3eS6zv2WJFiqb07juatp99bhbDO0kbxA@mail.gmail.com> <CAO42Z2y8e46hv0Cf49gHJnEimjrOg1dOwa2x36Zu77vBWzvdKw@mail.gmail.com> <f2150c48-480b-45a7-98a6-b2893ead8065@joelhalpern.com> <CALx6S37_2SAfOPsyKcXa6qKinAw_8tf7W_d5i8G86R2QEdck6Q@mail.gmail.com> <108bd733-5c66-4fb5-8224-fb2a1898ecc9@joelhalpern.com> <CALx6S37eJDJ1HpWrQOasOGqnVZyEDQYkmQxxjfpcHhykSUA1Bw@mail.gmail.com> <e45743ed-67bf-45a7-a60c-9dba2bb5de32@joelhalpern.com> <CALx6S374WuKBHodNCuPpZLe0g3BRLWsE9dANLDvidZPUca5C+w@mail.gmail.com> <744cd045-ee48-4829-bc6c-b36467c2acfd@joelhalpern.com> <CALx6S37SHG4Ut+8gsZW1UE-ykKpkj-wA8W1uiQEqFmdoqrkWAQ@mail.gmail.com> <CA+wi2hMzdxBr+_cX1ZQ_KTh9+5Y8990yKaFpCYBBzM3MR=WD+g@mail.gmail.com> <CALx6S36e=Dhv44HLmMR_aDxVYaNJOkr7hBpWk2HM5bPOQ0pXJg@mail.gmail.com> <CA+wi2hOMAiTFWTMDrwTui9hALYqWXfUT3AxQmbkE5OLKfcTivg@mail.gmail.com> <CALx6S3402WLBVamq7ix_hEnMZ+9Li2rzmSJ=Mx62_powJ5XFUg@mail.gmail.com>
From: Justin Iurman <justin.iurman@uliege.be>
In-Reply-To: <CALx6S3402WLBVamq7ix_hEnMZ+9Li2rzmSJ=Mx62_powJ5XFUg@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/hjrYp2fBZP_3HRuauA-G0Teh3ik>
Subject: Re: [IPv6] Routing Headers and limited domains (Was Re: Adoption call for draft-bonica-6man-comp-rtg-hdr
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Nov 2023 20:04:45 -0000

+1 to what Tom just said.

As is, there is no such thing as "SRv6 packets". At the end of the day, 
it's still an IPv6 packet. Of course, it has a specific extension header 
attached... but that does *not* make it something different than an IPv6 
packet.

Cheers,
Justin

On 11/1/23 12:40, Tom Herbert wrote:
> On Wed, Nov 1, 2023 at 11:40 AM Tony Przygienda <tonysietf@gmail.com> wrote:
>>
>>
>>
>> On Tue, Oct 31, 2023 at 9:45 PM Tom Herbert <tom@herbertland.com> wrote:
>>>
>>>
>>>
>>>
>>> On Tue, Oct 31, 2023, 12:54 PM Tony Przygienda <tonysietf@gmail.com> wrote:
>>>>
>>>>
>>>>
>>>> On Tue, Oct 31, 2023 at 5:47 PM Tom Herbert <tom=40herbertland.com@dmarc.ietf.org> wrote:
>>>>>
>>>>> On Mon, Oct 30, 2023 at 6:33 PM Joel Halpern <jmh@joelhalpern.com> wrote:
>>>>>>
>>>>>> Maybe I am dense, but I have trouble seeing how a node could have enough information to compose a useful CRH source route, and not have enough information to know where the relevant decapsulator is.  The most obvious candidate would be simply to decapsulate at the last entry in the source route.  it doesn't matter if that is (as is likely) not actually the egress.
>>>>>
>>>>> Hi Joel,
>>>>>
>>>>> Yes, that would probably be the most obvious candidate, and it's also
>>>>> a candidate for removing the RH. Once segments left is zero, the
>>>>> routing header is not operationally relevant to any downstream nodes.
>>>>>
>>>>> But even if that were the obvious choice for an encapsulation, I still
>>>>> don't see how the source could know when to encapsulate and when not
>>>>> to. A possible solution might be to tunnel all packets, but then
>>>>> that's a lot of per packet overhead especially if most packets never
>>>>> actually leave the limited domain.
>>>>>
>>>>> More generally, constraining protocols like routing header to a
>>>>> limited domain is required and it's clear that *something* needs to
>>>>> happen at edge routers of the limited domain.
>>>>> draft-raviolli-intarea-trusted-domain-srv6 has a good description of
>>>>> the problem. That's focused on SR, but other routing headers like CRH,
>>>>> and other use cases of extension headers also have similar
>>>>> requirements-- I would hope that there might be a general solution to
>>>>> limiting protocol to limited domains (IMO, a new Ethertype like
>>>>> described in that draft isn't the best solution and is likely to
>>>>> create a set of new problems)
>>>>
>>>>
>>>> can you be more specific here? seemed to have worked for mpls like a charm, for a very long time, at a very large scale ... and to differentiate v4 from v6 and many, many other use cases where it was necessary to quickly deploy a domain boundary ...
>>>
>>>
>>> Hi Tony,
>>>
>>> Right there's an Ethertype to differentiate IPv4 and IPv6, and there's an Ethertype for MPLS. But unlike those cases and contrary to what some people might claim :-), segment routing is *not* a new network protocol-- it is IPv6 with a routing header.
>>
>>
>>   Hey Tom,
>>
>> I have heard/seen adamant claims that SRv6 with compression may NOT carry a routing header.
>>
>> As to whether it's IPv6 I see since years sets of discussions claiming a yes or no depending on proponents of drafts and whichever way serves them best to support their idea.  Claiming SRv6 is IPv6 seems to me leading down the path where a IPv6 packet (and dst address in particular) can be defined to mean anything, including replication bitmasks and then declaring things like BIER being IPv6 [and don't think that hasn't been tried] ;-)  Layering and abstraction are the only ways technologies (and in general complexity) scale and this kind of logic runs straight against it IME.
> 
> Tony,
> 
> I don't believe calling segment routing IPv6 is a subjective opinion.
> If we sample a packet on a network and it has Ethertype 0x800 and IP
> version number is six, then it *is* an IPv6 packet and will be
> processed as such. Sure, it might also be a SRv6 packet or a BIER
> packet, but fundamentally to the network an especially at intermediate
> nodes between segments it is processed and forwarded as an IPv6
> packet. Such packets MUST conform to RFC8200 for instance.
> 
> Defining a new Ethertype for SRV6 would change that so that SRV6 could
> be a distinct protocol with its own requirements. As I said, I believe
> there's a risk of divergence with IPv6 so that it becomes a new L3
> protocol. Even so, if there is some need to fundamentally make SRv6 a
> distinct L3 protocol from IPv6 like the header format needs to be
> different, then IMO a new Ethertype would be much better route than
> trying to infer alternative semantics based on the the context of the
> limited domain in which the protocol is used. In other words, if
> Ethertype is 0x800 then the packet is IPv6 universally, it's not "IPv6
> for the Internet" or "IPv6 in the limited domain".
> 
>>
>>>
>>> So a new Ethertype would at best be a synonym for IPv6, and in the worst case it might be an incentive to branch IPv6 in odd and non compatible ways. That coupled with the massive change in implementations, tooling, and operations that would be needed makes me think it's not a preferred solution. These points were raised at the 6man IETF117 meeting.
>>
>>
>>
>> well, I do work with good amount of very experienced chip folks and according to them it presents  little difficulty. ethertype points at certain block processing and then hands off to srv6 block and that's about it.
> 
> It may be a little easier to filter at the edge, but now we have to
> change every router in the network and potentially every host and also
> all of the tooling and tracing to accommodate a new Ethertype that is
> the same thing as 0x800. I still don't see that the benefits outweigh
> the costs.
> 
>>
>>
>>>
>>>
>>>>
>>>>
>>>> Unless we have a clear, simple demarcation on the packet we end up building basically a stateful firewall by deep inspection or state-tying-together magic. one can afford that at L4 throughputs (at high cost) but the game is very different with the L3 or L2.5 economics as they are today.  As long CRH is mandatory on _every_ SRv6 packet, ok, it's bit deep to parse into but maybe somewhat workable, without, it eludes me how to build a simple, economical, non-stateful solution to delineate a possible SRv6 injection attack surface distinguishable from normal v6 forwarding unless a new ethertype is required.
>>>
>>>
>>> As the CRH draft already says, a packet can be identified at the edge by inspection to see if it contains a routing header. Checking for a routing header is a simple stateless operation and the network is free to set limits on how much DPI it's willing to do to find the routing header.
>>
>>
>> Please point me at a definitive normative statement in existing RFC that give me the assurance that a SRv6 packet will and MUST ALWAYS carry a SRH and anything else MUST never be processed as SRv6. if that's the case and we can strictly make that a normative RFC, yes, I start to feel more sympathetic towards your arguments.  Even then, you ask us to built a firewall processing IPv6 header very deeply on every device on every packet. There is a good reason why you see most of internet  not even letting EH stuff through ...
> 
> RFC8754 gives the normative requirements for how to do segment routing
> with SRH and I believe there is a similar definition for MPLS. Can you
> point me to the RFC with the  normative requirements and also the
> motivation for how to segment routing without any sort of routing
> header?
> 
> Thanks,
> Tom
> 
>>
>> Things would have been easy and make sense, loose source routing option in IP packets would have been on the chips/working last 20 years and frankly, most real-life use cases claimed for SR I see on real networks could be solved with 1 or 2 addresses in such option all I've seen ...
> 
>>
>> thanks
>>
>>
>> --- tony
>>
>>>
>>>
> 
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email