IETF Logo Mail Archive

Re: 6man w.g. last call for <draft-ietf-6man-segment-routing-header-19.txt>

"Darren Dukes (ddukes)" <ddukes@cisco.com> Thu, 06 June 2019 13:28 UTC

Return-Path: <ddukes@cisco.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9E891200FA for <ipv6@ietfa.amsl.com>; Thu, 6 Jun 2019 06:28:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.501
X-Spam-Level:
X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=Xm4jYHxM; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=mLhyHmK4
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FS7aPWGduIvU for <ipv6@ietfa.amsl.com>; Thu, 6 Jun 2019 06:28:30 -0700 (PDT)
Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2EDFD120096 for <ipv6@ietf.org>; Thu, 6 Jun 2019 06:28:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=25314; q=dns/txt; s=iport; t=1559827710; x=1561037310; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=OLfVhY9hRILmG2atSuPBeAirz7HQgRUkYV2j82F4XyE=; b=Xm4jYHxMSUOJlqcxbXfGB/5AaRh907coRLALtDWatkK+NK9hHNiDo8Be Jz8RJlVIgGEeN87I5woMmD+WX22lBao9inQ5H6O94WX71UIr3zsXy2EfD 0o5oJytZJo6CyTuyS7Yr4FjvKjEeG0ikUpKElPWsgHotbMjKJmrk+gk6X Y=;
IronPort-PHdr: 9a23:aRnyTB+aiXD6iP9uRHGN82YQeigqvan1NQcJ650hzqhDabmn44+/bR7E/fs4iljPUM2b8P9Ch+fM+4HYEW0bqdfk0jgZdYBUERoMiMEYhQslVcKJFE72N9bhbjcxG4JJU1o2t3w=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BpAgBVFPlc/51dJa1lGwEBAQEDAQEBBwMBAQGBZYE+JCwDalUgBAsoCoQKg0cDjl2CMiWJQ4wYgVaBQoEQA1QJAQEBDAEBGA0IAgEBhEACF4JMIzgTAQMBAQQBAQIBBG0cDIVKAQEBAwEBARALBhEMAQEsCwEEBwQCAQYCEQQBAQECAiMDAgICHwYLFAEICAIEDgUUDoMAAYFqAw4PAQIMixqQYAKBOIhfcYExgnkBAQWBMgEDAoNFDQuCDwMGgQwohG6GbReBQD+BEScME4JMPoIaRwEBAgGBOA8HAw2DCjKCJos1JIJKmhAsPgkCgg6GQ4RThD2DahuBSlmGd4QEiCSBRowwh3CBYYsKgjMCBAIEBQIOAQEFgWYhgVhwFRohKgGCQYIPDBeDTUaEToU+AXIBAYEnjAkBJAeBBAGBIAEB
X-IronPort-AV: E=Sophos;i="5.63,559,1557187200"; d="scan'208";a="350850152"
Received: from rcdn-core-6.cisco.com ([173.37.93.157]) by rcdn-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 06 Jun 2019 13:28:28 +0000
Received: from XCH-ALN-012.cisco.com (xch-aln-012.cisco.com [173.36.7.22]) by rcdn-core-6.cisco.com (8.15.2/8.15.2) with ESMTPS id x56DSQUC003013 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 6 Jun 2019 13:28:26 GMT
Received: from xhs-rtp-002.cisco.com (64.101.210.229) by XCH-ALN-012.cisco.com (173.36.7.22) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Thu, 6 Jun 2019 08:28:26 -0500
Received: from xhs-rcd-003.cisco.com (173.37.227.248) by xhs-rtp-002.cisco.com (64.101.210.229) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Thu, 6 Jun 2019 09:28:24 -0400
Received: from NAM02-BL2-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-003.cisco.com (173.37.227.248) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Thu, 6 Jun 2019 08:28:24 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=OLfVhY9hRILmG2atSuPBeAirz7HQgRUkYV2j82F4XyE=; b=mLhyHmK4g0iFqouiYtNxx/1VNaxeFfKU5Qp1UlzFfIl2FFmM2AfCuf6K5yFbs926MGfU95nsZFyPdJIAYpIY0vSKyNtAnN9ijNSCUsGPGs4DXPc+wgyBKmZVXunEiiJjTyvKTjtzyTudd9gkiTOaZPF0Da36z93XbG+HA73DrTA=
Received: from DM6PR11MB3516.namprd11.prod.outlook.com (20.177.220.141) by DM6PR11MB2905.namprd11.prod.outlook.com (20.177.216.146) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1943.22; Thu, 6 Jun 2019 13:28:23 +0000
Received: from DM6PR11MB3516.namprd11.prod.outlook.com ([fe80::d59f:9fbe:1f8b:bac7]) by DM6PR11MB3516.namprd11.prod.outlook.com ([fe80::d59f:9fbe:1f8b:bac7%7]) with mapi id 15.20.1965.011; Thu, 6 Jun 2019 13:28:23 +0000
From: "Darren Dukes (ddukes)" <ddukes@cisco.com>
To: Joel Halpern Direct <jmh.direct@joelhalpern.com>
CC: IPv6 List <ipv6@ietf.org>
Subject: Re: 6man w.g. last call for <draft-ietf-6man-segment-routing-header-19.txt>
Thread-Topic: 6man w.g. last call for <draft-ietf-6man-segment-routing-header-19.txt>
Thread-Index: AQHVEKPvir/m07qyXEqVGUt8jQpJGaZ+8b+AgABObYCADY27AIAAcOuAgAACbICAABifAIAAAfiAgAADjgCAABG7AIAAAaYAgAABnwCAAC/xgIAACeuAgAEH5QA=
Date: Thu, 06 Jun 2019 13:28:23 +0000
Message-ID: <FBFEAFCE-6897-4EF8-9EFE-7C98C5E00C13@cisco.com>
References: <20160428004904.25189.43047.idtracker@ietfa.amsl.com> <588C586F-C303-418E-8D26-477C4B37CF92@gmail.com> <C7C2E1C43D652C4E9E49FE7517C236CB0260698D@dggeml529-mbx.china.huawei.com> <E5ED231C-2592-4D5F-9FA5-CA3D97994BE8@cisco.com> <C7C2E1C43D652C4E9E49FE7517C236CB0260A5F8@dggeml529-mbx.china.huawei.com> <CALx6S34fzjWOrLGaz=VnSRAq-zYDZAEy_f51UJCs8ginTffp=w@mail.gmail.com> <e0fd66d4-1b52-1ae0-d698-6ec780078ea3@joelhalpern.com> <B96F5BF4-163C-4910-9E3C-30BF97529899@cisco.com> <f3b21bf3-9325-b1fb-9755-768c4167398a@joelhalpern.com> <01800042-BAA0-46BC-ABC5-5F0817356F69@cisco.com> <dc4c21cd-131b-e05f-02c1-e5c72773b95a@joelhalpern.com> <E710B2A6-1292-4A5E-A6BD-3C39AC174063@cisco.com> <68b3c6de-c6e6-1339-cea4-9a8eca46c62b@joelhalpern.com> <0B19A065-D0F1-4132-9715-5C693A12EC18@cisco.com> <c56abf32-af6c-70dd-8776-7149eb9acd24@joelhalpern.com>
In-Reply-To: <c56abf32-af6c-70dd-8776-7149eb9acd24@joelhalpern.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=ddukes@cisco.com;
x-originating-ip: [161.44.192.68]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 5b3e579b-55dc-4298-2bb5-08d6ea82d99a
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:DM6PR11MB2905;
x-ms-traffictypediagnostic: DM6PR11MB2905:
x-ms-exchange-purlcount: 6
x-microsoft-antispam-prvs: <DM6PR11MB29055103EE4583653C4B23D4C8170@DM6PR11MB2905.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-forefront-prvs: 00603B7EEF
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39860400002)(396003)(376002)(346002)(136003)(366004)(51914003)(13464003)(199004)(189003)(53936002)(36756003)(71200400001)(71190400001)(83716004)(25786009)(8936002)(14444005)(30864003)(6916009)(66476007)(66574012)(2906002)(4743002)(73956011)(82746002)(66946007)(91956017)(64756008)(5660300002)(66446008)(66556008)(76116006)(4326008)(6246003)(66066001)(966005)(478600001)(316002)(186003)(14454004)(3846002)(305945005)(6116002)(86362001)(26005)(68736007)(256004)(102836004)(6512007)(53946003)(99286004)(53546011)(6506007)(446003)(33656002)(11346002)(486006)(7736002)(6306002)(476003)(2616005)(229853002)(6436002)(8676002)(81156014)(81166006)(76176011)(6486002); DIR:OUT; SFP:1101; SCL:1; SRVR:DM6PR11MB2905; H:DM6PR11MB3516.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: Xr5qSGSMkoIcCP6vg9HdWb76c8Z8zPGGHU4OJv06jVChca1iEp5csP3uILj9tVb1+rNo2b79SOvlvFqcfBM8z7+l6cs/SUTAr8j5dXA5eQ4sQ/5ihTIArX3SS1rKZz190PE1oqRb25AX9R9R5uJH8wmitpBpneBAQaIzkq5g319CL9bEnbYR5fiwXFnLkj+kANUyeOLOrVuesjy4thYo73IypTAcNXkmkLJeT3EozBThGUaf4tW90DXM97wVgproY9Lxh7vcM2oQPb8PtQSPT4vzMxdES4sr1dADUqYKYMnqEUzjL/WEK0S97b87iyuUAJBnYgvgQVLMiq5kHNKyGWh2hFcHhf5qN9J3QQvq3NBD2iZoP2Qd9/hgoQGKaifdPwCMc1GTtjwtksKyZ6LR9Ml7iVz8qfFr7w/PjNBd+Zg=
Content-Type: text/plain; charset="utf-8"
Content-ID: <ADC511861AE35241964914D7C3B5C2B5@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 5b3e579b-55dc-4298-2bb5-08d6ea82d99a
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Jun 2019 13:28:23.6251 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ddukes@cisco.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR11MB2905
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.22, xch-aln-012.cisco.com
X-Outbound-Node: rcdn-core-6.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/meXo9Nuo8JRT0LV-kVHLWuHlDso>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Jun 2019 13:28:35 -0000

Hi Joel, as you’ve agreed, the SR Source node determines what segments are placed in the SRH through a means outside the scope of this document.

RFC8402 abstract - "A node steers a packet through an ordered list of instructions, called "segments”.”

The SR Source obviously knows what each segment does in order to build the segment list.
Read the multiple drafts for SRv6 and ISIS, OSPF, BGP-LS, network-programming to understand how it knows what segments do.

The SR Source relies on that knowledge to add any TLV to the SRH containing it's computed segment list, otherwise it would never know why or what to add.

HMAC is no different.  It must know that segments in its segment list will validate the HMAC and what key id to use so they can do so.

Therefor it is entirely acceptable and necessary for the SRH creator to know where the validators are and what they will validate so it knows how to build the segment list and HMAC TLV.

Darren


> On Jun 5, 2019, at 5:43 PM, Joel Halpern Direct <jmh.direct@joelhalpern.com> wrote:
> 
> My problem is not how the segment list gets into the SRH.  I agree that has been settled.
> 
> My concern is the interaction between the argument that the segment list is mutable and the HMAC validation.  If the segment list is mutable, then either the HMAC is valid when the packet is sent, and invalid when teh segment list changes, or the HMAC is invalid when the segment list is sent, and valid when it changes.  But nothing in the packet tells a potential validator that the HMAC does or does not currently apply to the packet.
> 
> You can get around this in multiple ways.
> We can drop the HMAC.
> We can declare that any entity that modifies the segment list MUST remove the HMAC  (and, if you like, may put a new HMAC on).
> We can, as Tom suggested, have a bit that says whether this packet is using a mutable segment list; and if so the segment list is not covered by the HMAC.
> What I think is unacceptable is to say that the SRH creator will magically know where the validators are and what they will validate, and will manage to create the right HMAC for all cases.
> 
> You have declared that segment list modifiability is dependent upon SID type.  But the generation and validation of the HMAC can occur at points where the SID is not specifying modifiability even if other SIDs in the list do specify modifiability.
> 
> Yours,
> Joel
> 
> On 6/5/19 5:08 PM, Darren Dukes (ddukes) wrote:
>> Joel, let's reset.
>> We were discussing HMAC validation by a segment within a segment list within an SR Domain as it pertains to draft-ietf-6man-segment-routing-header
>> It is clear that the HMAC TLV can do what it says - verify the segment list set by the SR Source (AKA Source SR node).
>> The Source SR node is defined in (section 5.1).
>> Section 5.1 also states:
>>    The mechanism through which a segment in the destination address of
>>    the IPv6 header and the Segment List in the SRH, is derived is
>>    outside the scope of this document.
>> This text has been present in the document since December 2015!
>> Further debate, in the context of this working group last call for draft-ietf-6man-segment-routing-header, of how the SRH and segment list is computed, the intent behind that computation, and what many things it may or may not need to consider to compute a segment list is clearly out of scope.
>> Thanks
>>   Darren
>>> On Jun 5, 2019, at 2:16 PM, Joel M. Halpern <jmh@joelhalpern.com> wrote:
>>> 
>>> Not sure I follow.
>>> Your statement is that the "SR Source ALWAYS knows how to steer a packet...".
>>> In the (not uncommon) case where a PCE provides the SRH, it seems quite likely that the node sending the packet will not have any idea what the SID types in the list are, or wht subtle interactions there may be either within the SRH or between the SRH and other extensions (such as AH) that the sending node may want to use.
>>> 
>>> You say below that one can use "SR Source" to mean both the packet sender and the path computation entity.  But when they are different nodes, they have different knowledge.  So I do not see how it suffices to say that you mean the combination of the two.
>>> 
>>> Remember that our goal is interoperability of independent implementations, which includes the case wher ethe packet sender (either intra-domain source or domain edge node) is not only distinct from the PCE, but may well be from different vendors.  That's the point of the spec.
>>> 
>>> I note also that if we can truly consider the PCE and the packet sender to always be the same, then the use case in the document for the HMAC does not apply, since they are then presuambly equally trusted.
>>> 
>>> Yours,
>>> Joel
>>> 
>>> On 6/5/19 2:10 PM, Darren Dukes (ddukes) wrote:
>>>> SR Source node means sender.
>>>> In the text below I said SR Source (or a path compute node).
>>>> You may use SR Source to mean the sender and the path compute node, because the physical location of the process that computes a path from SR Source to a destination is not relevant to this discussion.
>>>> Darren
>>>>> On Jun 5, 2019, at 2:05 PM, Joel M. Halpern <jmh@joelhalpern.com> wrote:
>>>>> 
>>>>> By the way, I assume you do not actually mean "sender" by source.  The use cases you describe often have the knowledge at the controller, not the sender.  So the source is the source of the SRH, but not the soure of the packet.
>>>>> Yours,
>>>>> Joel
>>>>> 
>>>>> On 6/5/19 1:01 PM, Darren Dukes (ddukes) wrote:
>>>>>> Joel the answer is simple and the same as usual.  The SR Source ALWAYS knows how to steer a packet in the SR Domain.
>>>>>> The SR Source (or a path compute node) would never add segments to a segment list in an order it knows cannot work.
>>>>>> Darren
>>>>>>> On Jun 5, 2019, at 12:48 PM, Joel M. Halpern <jmh@joelhalpern.com> wrote:
>>>>>>> 
>>>>>>> Your response on the HMAC validation implies that someone on the far side of a SDI that modifies the SID list (e.g. a binding SID) would somehow know not to try to validate the HMAC?  Or would the Binding SID process be requried to remove the HAMC TLV?  Or?
>>>>>>> 
>>>>>>> Treating this as something can be deferred until a future SID is defined that changes SID lists is at best disingenuous.  These behaviors have implications for devices which try to support what is here, even if they are not upgraded to support new functionality.  For example, in the above, a device on the far side of a binding SID does not itself need to know anything about binding SIDs.  But it apparently needs to know something to decide whether it can verify the HMAC>  And no, local policy is not a good enough hook since this obviously depends upon the particular SID sequence the packet has gone through, not on the role of the device.
>>>>>>> 
>>>>>>> Yours,
>>>>>>> Joel
>>>>>>> 
>>>>>>> On 6/5/19 12:41 PM, Darren Dukes (ddukes) wrote:
>>>>>>>> Hi Joel, there is no definition of a "binding SID" that modifies a Segment list.
>>>>>>>> However it is obvious if I intend to modify a segment list within an SR Domain, AND I want to verify that segment list via an HMAC TLV, I would certainly do the verification before my modification.
>>>>>>>> Darren
>>>>>>>>> On Jun 5, 2019, at 11:13 AM, Joel M. Halpern <jmh@joelhalpern.com> wrote:
>>>>>>>>> 
>>>>>>>>> Apparently I am just dense.
>>>>>>>>> If we intend to permit the SID list to change along the way (for example with binding SIDs) then how does the HMAC TLV work?  The TLV is supposed to be verifiable along the path.  But the SID list is different before and after the binding SID.  So the same HMAC can not protect the two SID lists.
>>>>>>>>> 
>>>>>>>>> Do we want to restrict the HMAC TLV to be only processed by the first router on the path?  Do we want to declare that the HMAC can not be used with any behavior that modifies the SID list?
>>>>>>>>> 
>>>>>>>>> I guess I can take the view that folks are never going to implement the HMAC, as it is so loosely specified.  But if I expect it to work, we need some clarity on behavior.
>>>>>>>>> 
>>>>>>>>> And that is putting aside the question of whether one wants to see AH usable with SRH.  With the mutability as currently specified, AH will have to ignore the SRH.  Which is okay if we and the security community agree.
>>>>>>>>> 
>>>>>>>>> Yours,
>>>>>>>>> Joel
>>>>>>>>> 
>>>>>>>>> On 6/5/19 11:05 AM, Tom Herbert wrote:
>>>>>>>>>> On Wed, Jun 5, 2019 at 1:21 AM Chengli (Cheng Li) <chengli13@huawei.com> wrote:
>>>>>>>>>>> 
>>>>>>>>>>> Hi Darren,
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> Thanks for your reply. It seems like reasonable to pre-allocate space for IOAM. Also, PBT[1] based Telemetry can avoid this problem.
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> However, in Stateless SFC[2], the NSH TLV can be included in SRH to carry metadata. The length of metadata may be mutable and hard to be pre-computed when the MD type is 2.
>>>>>>>>>>> 
>>>>>>>>>>> Maybe we still can pre-allocate enough space for this scenarios, but I still think we should make HDR as mutable.
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> The fields that will not be changed en route will not affect the length of the SRH.
>>>>>>>>>>> 
>>>>>>>>>>> The mutable fields  will not count when compute ICV, and the changes of them are allowed, so why to limit  the change of length? There is no need to limit the length of these fields, because this does not help on Authentication but brings limitation.
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> It is a general problem for IOAM and SFC, which need to add metadata into data packets.
>>>>>>>>>>> 
>>>>>>>>>> Hi Chengli,
>>>>>>>>>> Please look at https://trac.ietf.org/trac/6man/ticket/69 which
>>>>>>>>>> describes some of the operational problems of adding/deleting TLVs.
>>>>>>>>>> There is also an attribution problem.
>>>>>>>>>> The contents of a packet are attributed to the source which is
>>>>>>>>>> indicated by the source address. Fundamentally, the source of the
>>>>>>>>>> packet owns the bits and is responsible for the content. If an
>>>>>>>>>> intermediate node sets alternative content in a packet then at the
>>>>>>>>>> destination that content is attributed to the source. This content may
>>>>>>>>>> not conform to host policy, or for that matter might even be illegal,
>>>>>>>>>> and without any proper paper trail of who set the content, the source
>>>>>>>>>> is held accountable.
>>>>>>>>>> So the source requires fine grained control over what the network is
>>>>>>>>>> allowed to change, and authentication is means to enforce that
>>>>>>>>>> intermediate nodes only change the packet in permissible ways. If a
>>>>>>>>>> network node wants to change more than what the source allows, it is
>>>>>>>>>> free to encapsulate the packet for transit across the network, thus
>>>>>>>>>> itself becoming the source of the packet and so can set content in the
>>>>>>>>>> encapsulating headers per a different policy.
>>>>>>>>>> Tom
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> Thanks,
>>>>>>>>>>> 
>>>>>>>>>>> Cheng
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> [1] https://tools.ietf.org/html/draft-song-ippm-postcard-based-telemetry-03
>>>>>>>>>>> 
>>>>>>>>>>> [2] https://tools.ietf.org/html/draft-xuclad-spring-sr-service-programming-02#section-7.2.1
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> -----Original Message-----
>>>>>>>>>>> 
>>>>>>>>>>> From: Darren Dukes (ddukes) [mailto:ddukes@cisco.com]
>>>>>>>>>>> 
>>>>>>>>>>> Sent: Tuesday, May 28, 2019 1:22 AM
>>>>>>>>>>> 
>>>>>>>>>>> To: Chengli (Cheng Li) <chengli13@huawei.com>
>>>>>>>>>>> 
>>>>>>>>>>> Cc: Bob Hinden <bob.hinden@gmail.com>; IPv6 List <ipv6@ietf.org>
>>>>>>>>>>> 
>>>>>>>>>>> Subject: Re: 6man w.g. last call for <draft-ietf-6man-segment-routing-header-19.txt>
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> Hi Cheng, thanks for the support, I have a couple comments inline.
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>>> On May 27, 2019, at 8:41 AM, Chengli (Cheng Li) <chengli13@huawei.com> wrote:
>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>>> Support. Many thanks to authors for their contributions! I agree that we should specify how the AH works with SRH in other drafts.
>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>>> But I can NOT find any text of describing Hdr Ext Len is not mutable in RFC8200.
>>>>>>>>>>> 
>>>>>>>>>>>> Hdr Ext Len SHOULD be mutable, otherwise, use cases like incremental SRv6 IOAM[1] can not work.
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> draft-ali-6man-spring-srv6-oam-01 actually reserves TLV at an SR Source node for use by segment endpoint nodes, so it doesn’t change the size of TLVs (see 4.4.2.1 and 4.4.2.2 of that draft).
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>>> All the use cases of inserting or deleting new TLV, or updating TLV with new length value are not allowed if Hdr Ext Len is not mutable.
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> Use cases you’re thinking of should be able to use a method similar to that in draft-ali-6man-spring-srv6-oam, I would be interested to hear about them.
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> Thanks
>>>>>>>>>>> 
>>>>>>>>>>>   Darren
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>>> I think it is a limitation to SRv6 that we should avoid it definitely.
>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>>> Best Regards,
>>>>>>>>>>> 
>>>>>>>>>>>> Cheng
>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>>> [1]. https://tools.ietf.org/html/draft-ali-6man-spring-srv6-oam-01#section-4.4.1
>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>>> -----Original Message-----
>>>>>>>>>>> 
>>>>>>>>>>>> From: ipv6 [mailto:ipv6-bounces@ietf.org] On Behalf Of Bob Hinden
>>>>>>>>>>> 
>>>>>>>>>>>> Sent: Wednesday, May 22, 2019 9:40 PM
>>>>>>>>>>> 
>>>>>>>>>>>> To: IPv6 List <ipv6@ietf.org>
>>>>>>>>>>> 
>>>>>>>>>>>> Cc: Bob Hinden <bob.hinden@gmail.com>
>>>>>>>>>>> 
>>>>>>>>>>>> Subject: 6man w.g. last call for <draft-ietf-6man-segment-routing-header-19.txt>
>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>>> Hello,
>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>>> This message starts a new two week 6MAN Working Group Last Call on advancing:
>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>>>       Title           : IPv6 Segment Routing Header (SRH)
>>>>>>>>>>> 
>>>>>>>>>>>>       Authors         : Clarence Filsfils
>>>>>>>>>>> 
>>>>>>>>>>>>                         Darren Dukes
>>>>>>>>>>> 
>>>>>>>>>>>>                         Stefano Previdi
>>>>>>>>>>> 
>>>>>>>>>>>>                         John Leddy
>>>>>>>>>>> 
>>>>>>>>>>>>                         Satoru Matsushima
>>>>>>>>>>> 
>>>>>>>>>>>>                         Daniel Voyer
>>>>>>>>>>> 
>>>>>>>>>>>>             Filename        : draft-ietf-6man-segment-routing-header-19.txt
>>>>>>>>>>> 
>>>>>>>>>>>>             Pages           : 32
>>>>>>>>>>> 
>>>>>>>>>>>>             Date            : 2019-05-21
>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>>>    https://tools.ietf.org/html/draft-ietf-6man-segment-routing-header
>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>>> as a Proposed Standard.
>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>>> This document was in an extended last call that started in March of 2018.   An issue tracker was set up, and eight new versions of the draft were produced and discussed on the list and at face to face 6man sessions.   All of the issues in the tracker have been closed.  The chairs believe it is ready to advance, but given the number of changes and the time that elapsed, a new w.g. last call is warranted.  Please review the new document.
>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>>> Our thanks to the authors/editors and the working group for the work on this document.
>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>>> Substantive comments and statements of support for publishing this document should be directed to the mailing list. Editorial suggestions can be sent to the author.  This last call will end on 5 June 2019.
>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>>> Thanks,
>>>>>>>>>>> 
>>>>>>>>>>>> Bob & Ole
>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>>> --------------------------------------------------------------------
>>>>>>>>>>> 
>>>>>>>>>>>> IETF IPv6 working group mailing list
>>>>>>>>>>> 
>>>>>>>>>>>> ipv6@ietf.org
>>>>>>>>>>> 
>>>>>>>>>>>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>>>>>>>>>>> 
>>>>>>>>>>>> --------------------------------------------------------------------
>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>>> --------------------------------------------------------------------
>>>>>>>>>>> 
>>>>>>>>>>>> IETF IPv6 working group mailing list
>>>>>>>>>>> 
>>>>>>>>>>>> ipv6@ietf.org
>>>>>>>>>>> 
>>>>>>>>>>>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>>>>>>>>>>> 
>>>>>>>>>>>> --------------------------------------------------------------------
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> --------------------------------------------------------------------
>>>>>>>>>>> IETF IPv6 working group mailing list
>>>>>>>>>>> ipv6@ietf.org
>>>>>>>>>>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>>>>>>>>>>> --------------------------------------------------------------------
>>>>>>>>>> --------------------------------------------------------------------
>>>>>>>>>> IETF IPv6 working group mailing list
>>>>>>>>>> ipv6@ietf.org
>>>>>>>>>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>>>>>>>>>> --------------------------------------------------------------------
>>>>>>>>> 
>>>>>>>>> --------------------------------------------------------------------
>>>>>>>>> IETF IPv6 working group mailing list
>>>>>>>>> ipv6@ietf.org
>>>>>>>>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>>>>>>>>> --------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email