IETF Logo Mail Archive

Re: Limited Domains:

Brian E Carpenter <brian.e.carpenter@gmail.com> Wed, 14 April 2021 20:34 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C69EA3A0DC4; Wed, 14 Apr 2021 13:34:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nof4xXNlpueJ; Wed, 14 Apr 2021 13:34:04 -0700 (PDT)
Received: from mail-pj1-x102d.google.com (mail-pj1-x102d.google.com [IPv6:2607:f8b0:4864:20::102d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 570073A0A16; Wed, 14 Apr 2021 13:34:04 -0700 (PDT)
Received: by mail-pj1-x102d.google.com with SMTP id lt13so2022651pjb.1; Wed, 14 Apr 2021 13:34:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=VUpSX9RjcDKUJKddkh/RmL1FWtsKzwBvexdAbwM0fPU=; b=POATxxvcxjeQFKzdm760dkqDO+3HQuLQH5WoG5erYpYLY19wY0/4rOGN+rdpP5DWOE dApKulTD1dW1o3HRPzSbaZ78iswSaaViPdQSJYzwDd3H6YKQ9GEBzZyjiGBAgYWfsKX3 5g0oRaHmIM2J9cC+hmvVz4H6ljCKCSO82UQDzD87K07aOuCS4yCBb9n2nnYt/mnBo48Q hs6WXX0uM0IrjLS4x+WL5jVhFtbUGsHE3q7wYA+RoHKcQjGcfXdb2x84Zf6dFk7uhZ7+ MzUipuO4evoMmiUecxFKsGVjk9TYlbg9TLAQ5IRKeJcBV9nP21a0ITSP55u0nF0L1tXy bThg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=VUpSX9RjcDKUJKddkh/RmL1FWtsKzwBvexdAbwM0fPU=; b=eW3eG28WQ2G/TgwR2J0t6Q7BbmsPRAEyn4Br9+lzenVhNwFwnqT+t+5dZeZ3Q0cP8I 9SQB9MX9fo4MyXzIrgCPZJK2NItCtpNgsyl3VlmiLF0SKGw3v/YIh6XIikyoPkOA3yjC DS/tZbR6Xg9obFESy7Ejr0ofqzGya7Omq1meAdRXhXpA2zqt+uFQKTvebf2AQJaLw61o Ok/3PV3oEmCwm5a2ial+8K6ekzFR9oRfr3BHQJ5XIN2verNXPUxES/ZWX7mTjbGZKHXi tbI55G2hYpsHhOmzBFYWgws+aHZtKLjWLMrskE9ChQlVxKb/6GBNdUmEc2wKl4JWosRh A25Q==
X-Gm-Message-State: AOAM530DCFIiahoQza6tfdBHZ8gRNUHPzmvvRADe6SCj3ujcryb2PwIq UIbXM36JE+/La0iyzqteQ+n9dJjGn93mJa7v
X-Google-Smtp-Source: ABdhPJwWcxObS21d1TADCp07kqK7roFdq4PG/0wJBYCWMcvBa3XkflBnMv69fIGXkfkmlQVV9ChWBw==
X-Received: by 2002:a17:902:442:b029:eb:4016:45ec with SMTP id 60-20020a1709020442b02900eb401645ecmr69135ple.68.1618432443029; Wed, 14 Apr 2021 13:34:03 -0700 (PDT)
Received: from [192.168.178.20] ([151.210.131.14]) by smtp.gmail.com with ESMTPSA id i9sm231262pji.41.2021.04.14.13.34.00 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 14 Apr 2021 13:34:02 -0700 (PDT)
Subject: Re: Limited Domains:
To: Stewart Bryant <stewart.bryant@gmail.com>
Cc: "Ahmed Abdelsalam (ahabdels)" <ahabdels@cisco.com>, "6man@ietf.org" <6man@ietf.org>, "draft-filsfils-6man-structured-flow-label@ietf.org" <draft-filsfils-6man-structured-flow-label@ietf.org>
References: <BL0PR05MB5316991D4124AD85BC69392AAE709@BL0PR05MB5316.namprd05.prod.outlook.com> <1697a0f8-b3cd-9f7d-d610-305b5305c9a1@gmail.com> <4077E736-0092-44C6-80D1-E094F468C00C@gmail.com> <12878114-5c26-86f9-89c3-bcfa10141684@gmail.com> <CALx6S35NBfVJmjqVwhNV3nui2avUOXn6ySMG3cxx2AvGkwr_Ow@mail.gmail.com> <08A6C3D2-A81C-413A-81B3-EFAAA9DBCCE5@cisco.com> <5b68beb6-a6f9-828b-5cca-9c5ec2bfbea7@foobar.org> <126B0A5E-B421-4B1F-AAEB-ABD48FFA4289@cisco.com> <CALx6S35yxqAqWJVhav-=+TB2ZyYttAFfsLNs6Btt+QUx__aQ1w@mail.gmail.com> <9b22cfe4-22eb-3977-2d25-79eb61370291@gmail.com> <17DC585D-3378-42BF-8CD0-67676BF0CFD3@gmail.com>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Message-ID: <fa412769-893d-8bd8-ebfe-abfb741412a0@gmail.com>
Date: Thu, 15 Apr 2021 08:33:58 +1200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.9.1
MIME-Version: 1.0
In-Reply-To: <17DC585D-3378-42BF-8CD0-67676BF0CFD3@gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/jBP_Kf4DbQXHwB-MWsn7q7K5REk>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Apr 2021 20:34:06 -0000

On 14-Apr-21 22:36, Stewart Bryant wrote:
> As far as I can see the only safe limited domain protocol is one specifically designed for use in limited domains.

Absolutely. And also, there needs to be a secure and objective definition of the membership and boundary of the domain. That's why we wrote RFC8799.

   Brian

> Any other approach leads to confusion, mistakes, security threats, complexity and cost.
> 
> Thus declaring that an “ordinary” IPv6 packet can simultaneously have both global and limited scope has the potential for creating significant issues for those wishing to use basic IPv6 in a limited domain.
> 
> We have an example of an IETF limited domain protocol: MPLS. This has a very simple lightweight data plane security model: it is a different protocol from IP and if it is presented with an IP packet at its edge, it simple wraps it in MPLS and sends it safely on its way across the network for export Into some other network. Operators have a lot of experience with this protocol and we know that the model that MPLS is not IP results in complete confidence that the network will not confuse the two.
> 
> Equally we know of cases where IP is vulnerable to attack because it is so difficult to exclude packets. This was at the heart of the reason that source routing, was deprecated some years ago.
> 
> Now I am not for a moment suggesting that the limited domain applications that the flow-label authors have in mind should be done in MPLS, but I am suggesting that if they want a limited domain protocol with properties different from IPv6, and there is no obvious way to unambiguously indicate the new functionality in basic IPv6, they ought to design a protocol with the properties that they require that is not IPv6.
> 
> I am reminded in this discussion of the a time when another SDO wanted to make a “small” incompatible change to MPLS and argued that as this was only deployed in a limited domain that was safe.The IETF position was that incompatible and unrecognisable modification to one of our network protocols was a bad thing. A protracted high profile argument ensued and in the end  the IETF view won the day.
> 
> This protracted discussion on flow labels seems to be in a similar mould, and I would argue that we should not accept a change to the forwarding actions on an IPv6 packet unless it is possible for the forwarder to know precisely and unambiguously  which action it is to take on the packet is is currently parsing.
> 
> - Stewart
> 
> 
> 
> 
> 
> 
>

v2.23.0 | Report a Bug | By Email