Re: EH end encapsulation in 2460bis
"Fred Baker (fred)" <fred@cisco.com> Wed, 13 April 2016 23:59 UTC
Return-Path: <fred@cisco.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1061912D5FF for <ipv6@ietfa.amsl.com>; Wed, 13 Apr 2016 16:59:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -115.517
X-Spam-Level:
X-Spam-Status: No, score=-115.517 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_WHITELIST=-100] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 92lf3RtBYEOF for <ipv6@ietfa.amsl.com>; Wed, 13 Apr 2016 16:59:31 -0700 (PDT)
Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5427E12DF0A for <6man@ietf.org>; Wed, 13 Apr 2016 16:59:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3901; q=dns/txt; s=iport; t=1460591971; x=1461801571; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=Fi5JzLU4aM891jcW2aYanvd5CS5FtMJYMi2SWCTmBT8=; b=NeAzGaasSbt54pnMmS6YMxWxM9nQSfyz3sh1AfAC3B8k3EhtNI4gdQWl pskTpTSDTH/yBS71WsFy/YMOjLcnWw48/sg67GRUfAErQIPDOgr2M2IPA YNOaY6YC7Bu6pBZSCPAbtQ286bQjr5IH9l2cgDOFECGOZ5+uYXTdVsIzD s=;
X-Files: signature.asc : 833
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0DRAgBr3A5X/4cNJK1egzdTfQa6TQ6BcRcLhWwCgUE4FAEBAQEBAQFlJ4RBAQEBAwEBAQFrCwULAgEIGC4nCyUCBA4FDg2IBggOwxEBAQEBAQEBAQEBAQEBAQEBAQEBAQENBASIFoJWh2qCKwWHcpAWAYMjgWZtiBaPEI8mAR4BQ4NnbIh8fgEBAQ
X-IronPort-AV: E=Sophos;i="5.24,482,1454976000"; d="asc'?scan'208";a="91556744"
Received: from alln-core-2.cisco.com ([173.36.13.135]) by rcdn-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 13 Apr 2016 23:59:30 +0000
Received: from XCH-RCD-012.cisco.com (xch-rcd-012.cisco.com [173.37.102.22]) by alln-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id u3DNxTiP001022 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 13 Apr 2016 23:59:30 GMT
Received: from xch-rcd-013.cisco.com (173.37.102.23) by XCH-RCD-012.cisco.com (173.37.102.22) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Wed, 13 Apr 2016 18:59:29 -0500
Received: from xch-rcd-013.cisco.com ([173.37.102.23]) by XCH-RCD-013.cisco.com ([173.37.102.23]) with mapi id 15.00.1104.009; Wed, 13 Apr 2016 18:59:29 -0500
From: "Fred Baker (fred)" <fred@cisco.com>
To: Tom Herbert <tom@herbertland.com>
Subject: Re: EH end encapsulation in 2460bis
Thread-Topic: EH end encapsulation in 2460bis
Thread-Index: AQHRldixsJ46CY2X20unwVqHwK89Qp+I6SWA
Date: Wed, 13 Apr 2016 23:59:29 +0000
Message-ID: <A9957AF5-22BC-47A6-8D87-6E099EEEFC76@cisco.com>
References: <CALx6S37dA7RVzLe-HFy3_iUye+TVgPk3oCZaLfiHrXMua7K-FQ@mail.gmail.com>
In-Reply-To: <CALx6S37dA7RVzLe-HFy3_iUye+TVgPk3oCZaLfiHrXMua7K-FQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3124)
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.19.64.119]
Content-Type: multipart/signed; boundary="Apple-Mail=_359C7212-302B-4D2D-94B6-B77240CBC3B7"; protocol="application/pgp-signature"; micalg="pgp-sha1"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipv6/jItcGGFj0CPtVSmzgLd7iCqChcU>
Cc: "6man@ietf.org" <6man@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Apr 2016 23:59:34 -0000
I actually looked pretty hard at this in https://tools.ietf.org/html/draft-ietf-6man-hbh-header-handling-00. My segment-routing colleagues wanted pretty badly to insert an SR header at some point in the network, and then remove it somewhere else before delivery to the destination. Working through potential failure cases, what worried me was the security header. Suppose, for example, that the inserted SR header would have to be removed before being given to the addressed destination, but the addressed destination was an anycast address? In such a case, the system that will ultimately respond to the packet advertises itself as "a" right router capable of forwarding the packet to that address. So, fine, I give the packet to the "router", and the receiving system realizes that the destination address is one of its own, and so receives it as a message addressed to it. Oops; we tripped over an assumption. At IETF 94, I tried to make my SR colleague's point, and Bob Hinden told me that they had already vacated the field, leaving me with my pants around my ankles. Thanks, guys. But that is fundamentally the point. We need a solution that has no sticky failure cases, and delivering the actual packet sent is the only one that presents itself. Encapsulation does that. Anything else has to prove the case. > On Apr 13, 2016, at 4:03 PM, Tom Herbert <tom@herbertland.com> wrote: > > Hello, > >> From draft-ietf-6man-rfc2460bis-04 > > "Extension headers must never be inserted by any node other than the > source of the packet. IP Encapsulation must be used to meet any > requirement for inserting headers, for example, as defined in > [RFC2473]." > > It is unclear to me how/rather IP encapsulation can meet the > requirements or at least the intent of a node wanting to insert > extension headers. For instance if a middlebox is presented a packet > with EHs ABC and it wishes to insert EH X, it's intent might be to > create a packet with EHs ABXC. I don't see how this can generally be > expressed with encapsulation. For instance, is expected that there is > some process of moving/copying certain of the original EHs to the > outer headers (like HBH, routing)? > > Thanks, > Tom > > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > ipv6@ietf.org > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > --------------------------------------------------------------------
- EH end encapsulation in 2460bis Tom Herbert
- Re: EH end encapsulation in 2460bis Fred Baker (fred)
- Re: EH end encapsulation in 2460bis Brian E Carpenter
- Re: EH end encapsulation in 2460bis Ray Hunter (v6ops)
- Re: EH end encapsulation in 2460bis Mikael Abrahamsson
- Re: EH end encapsulation in 2460bis Stefano Previdi (sprevidi)
- Re: EH end encapsulation in 2460bis Mark Smith
- Re: EH end encapsulation in 2460bis Mikael Abrahamsson
- Re: EH end encapsulation in 2460bis Stefano Previdi (sprevidi)
- Re: EH end encapsulation in 2460bis Ray Hunter (v6ops)
- Re: EH end encapsulation in 2460bis Tom Herbert
- Re: EH end encapsulation in 2460bis Fred Baker (fred)
- Re: EH end encapsulation in 2460bis Brian E Carpenter