Re: [IPv6] Adoption call for draft-bonica-6man-comp-rtg-hdr

["Dale W. Carder" <dwcarder@es.net>]

Hi Ron,

Would there need to be interop between CRH and SRv6, or is CRH
completely standalone?  I am not in SPRING so excuse me if this
question is a distraction.  (I remain a bit confused as to why
this draft is here)

In SR/MPLS, proccessing at the edge of the IGP domain is controlled 
at the interface level, effectively by ethertype filtering (including 
by 3rd parties such as at competent IXPs).  So, IGP stuff doesn't
leak in or out.

In RFC 8754 section 5.1, the method of "securing" the SRv6 domain
I think is described as dedicating a specific address block to 
all those SIDs and hopefully remembering to filter that block at the
edge with ACLs to keep the forwarding instructions internal.  From 
RFC9288 3.5.2 one could also filter Routing Type 4 (if that were 
actually possible on the box).

For CRH, is there a pragmatic way to do such filtering?  Or do you 
have to implement an ACL such that one would have to process it deep 
enough to filter all Routing Type 5 and 6 at the edge of the network?

I guess I am pretty skeptical that this could be deployable in a safe 
manner, and being an operator I would need some pragmatic guidance
as it does not appear obvious.

Dale



Thus spake Ron Bonica (rbonica=40juniper.net@dmarc.ietf.org) on Thu, Nov 09, 2023 at 05:26:31PM +0000:
> Jingrong,
> 
> I am confused by the references to SRv6/8754/8986. What specific changes would you like me to make to the CRH draft?
> 
>                                                   Ron
> 
> 
> 
> Juniper Business Use Only
> -----Original Message-----
> From: Jingrong Xie <xiejingrong=40huawei.com@dmarc.ietf.org>
> Sent: Thursday, November 9, 2023 5:38 AM
> To: Jen Linkova <furry13@gmail.com>; 6man <ipv6@ietf.org>
> Cc: draft-bonica-6man-comp-rtg-hdr.authors@ietf.org
> Subject: RE: [IPv6] Adoption call for draft-bonica-6man-comp-rtg-hdr
> 
> [External Email. Be cautious of content]
> 
> 
> Hi 6man WG:
> 
> I think the document should have more discussions on Security aspects.
> 
> SRv6/RFC8986/RFC8754 has built the security of an IPv6-based trusted domain (SR domain) on the highly strict IPv6 address management.
> 
> To define a "IPv6 address block" for special-usage (the so called Network-Programming), is a solid paradigm to make such an IPv6-based trusted domain IMO.
> 
> In my understanding, once there is a need to use a "special-usage" address (which differs the RFC4291 address), no matter GUA/LUA, the management of such address should be built on SRv6 NP (not bounding to an Interface/Loopback, and populating FIB differently, etc).
> 
> 
> The removal of reference to SRv6/8754/8986 will make this solid paradigm no longer to be useful. I see there are challenges faced, for example:
> CE1----PE1[Provider-network]PE2----CE2
> CE1 may want to use a SRv6 SRH with an active SID being a PE's SID under a VRF context, and the last SID being the CE2.
> With this document, the case will not able to be supported I think.
> See a draft (expired though) https://urldefense.com/v3/__https://www.ietf.org/archive/id/draft-xie-spring-srv6-npi-for-overlay-00.html__;!!NEt6yMaO-gk!C366b9VXaEDSiowxvBIP8DCsrzxvfA2G6X-xdonrZgiEq_GXdbVpGxBFfLYlCMs-pM4TiY_PC2_9pCCg35SrLyIcwKuEVZ4$ .
> Another similar example (VPN-CAR case ) https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-ietf-idr-bgp-car/__;!!NEt6yMaO-gk!C366b9VXaEDSiowxvBIP8DCsrzxvfA2G6X-xdonrZgiEq_GXdbVpGxBFfLYlCMs-pM4TiY_PC2_9pCCg35SrLyIcaa3e6wg$
> 
> 
> Thanks,
> Jingrong
> 
> 本邮件及其附件可能含有华为公司的保密信息，仅限于发送给上面地址中列出的个人或群组。禁止任何其他人以任何形式使用（包括但不限于全部或部分地泄露、复制、或散发）本邮件中的信息。如果您错收了本邮件，请您立即电话或邮件通知发件人并删除本邮件！
> This e-mail and its attachments may contain confidential information from HUAWEI, which is intended only for the person or entity whose address is listed above. Any use of the information contained herein in any way (including, but not limited to, total or partial disclosure, reproduction, or dissemination) by persons other than the intended recipient(s) is prohibited. If you receive this e-mail in error, please notify the sender by phone or email immediately and delete it!
> 
> 
> -----Original Message-----
> From: ipv6 [mailto:ipv6-bounces@ietf.org] On Behalf Of Jen Linkova
> Sent: Thursday, October 26, 2023 4:04 PM
> To: 6man <ipv6@ietf.org>
> Cc: draft-bonica-6man-comp-rtg-hdr.authors@ietf.org
> Subject: [IPv6] Adoption call for draft-bonica-6man-comp-rtg-hdr
> 
> This email starts an adoption call for the following document:
> 
> Title: The IPv6 Compact Routing Header (CRH) Draft name: draft-bonica-6man-comp-rtg-hdr
> Link:  https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-bonica-6man-comp-rtg-hdr/__;!!NEt6yMaO-gk!C366b9VXaEDSiowxvBIP8DCsrzxvfA2G6X-xdonrZgiEq_GXdbVpGxBFfLYlCMs-pM4TiY_PC2_9pCCg35SrLyIcKg295UI$
> 
> Substantive comments and statements of support for adopting this document should be sent to the mailing list. Editorial suggestions can be sent to the authors.
> 
> The adoption call ends on Monday, Nov 13th, 23:59 UTC.