[IPv6]Re: Éric Vyncke's Discuss on draft-ietf-6man-comp-rtg-hdr-08: (with DISCUSS and COMMENT)
Mark Smith <markzzzsmith@gmail.com> Thu, 30 May 2024 02:05 UTC
Return-Path: <markzzzsmith@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30F52C1930B6; Wed, 29 May 2024 19:05:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.594
X-Spam-Level:
X-Spam-Status: No, score=-1.594 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sMD51kJAhuQg; Wed, 29 May 2024 19:05:26 -0700 (PDT)
Received: from mail-ej1-x633.google.com (mail-ej1-x633.google.com [IPv6:2a00:1450:4864:20::633]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF05AC1840D7; Wed, 29 May 2024 19:05:25 -0700 (PDT)
Received: by mail-ej1-x633.google.com with SMTP id a640c23a62f3a-a62614b9ae1so25555366b.0; Wed, 29 May 2024 19:05:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1717034724; x=1717639524; darn=ietf.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=c6s/QV7Z7QYdZOmpyBX1Vj5t33KtJlWQjf1cDrYifxQ=; b=XVN3YW6edLj+N5DKddfiCAGdzIcuA1fRUAoQ6ByuighgrxPHVnw8U7Dxkuz4gaE6Bu m1MXCuasBhz7qRIlZBhf5n6K/yC1Eft5GpRw+xQSsWAepaKx4sz1zSW29B6O2ryo4/XP fKXNMJYXtrTU2ogTrvb7AoYqV+zosPv577YuEj3q63U/lGFjpNiCxgGzuoXU0cCamo+v mXm+jYcBnO9t5UPzejoxzIgF/ZM3O1JSTh55ZC/8Xv88tQ/BOV6qWwWkKl9T+M5PKvLa wSi0nWWPjIhjDi4mm6vXHejwllnMNyb2RdYCyf6dHgAWzcIoaV+GSJxKnhkq6nf77qpu 3RRw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1717034724; x=1717639524; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=c6s/QV7Z7QYdZOmpyBX1Vj5t33KtJlWQjf1cDrYifxQ=; b=DjF8gUX5t2yXdIrPP9KS1JaYc8O5S44zyeq2puHqfxBb3emPf6xZAiMu5AAcOPkcTB cGKwDOvEY5+N/SSfDQp5NUwQPNrlpYvQA5cSO95nzSZX0RCXNPpfOuc6pOjWU8j4FdcR 5Bd/OXTl5NMqr0Ds3fyB3PWWHZShe8PEAkAE604ulO8eRLzgIPq2dumaARNWAUsnJJ9i Uyu+Y1MR0WL+9zXxXehLQxXAnkw8FtP0KeR3f8iG5DX60UsqzfnHkQqRNlhLFFnUwcMn 8qx0efJz4HQSSvAhZvjucKsicYHCS9u6eoLUPEQND966z/A6vwxOLWc0AqbZwjPv1g/I mrxA==
X-Forwarded-Encrypted: i=1; AJvYcCXK0o2JTqBgU07V0eq+DUWe8pYRiP+TN6jcRR8HmcTXKGBrYHhtpeVXlphnVccZBCcUqSn9QC0J2gsGm4c3+brLGOebA6BbHDegJ44xESF81sQvVqvFDdGpOBoHrOlH/zCJoszBJz0xItQGJkvaA05OhxalVSL3fJHjEsOoBhde6H14AjjVC8L56w==
X-Gm-Message-State: AOJu0YySWlAt8R0xZ9sna0JpjwWphJXRG+QagR3jDU3i7qtW/zgav288 Nw7qEDX4kB1jSVsYatv2mAVSmQYoUh858Og3zXVo4nElwN+W2OIUqQoUJk5tgIc34U/HVK0rSUz 1HWqJ7MUHiyOUBOuCGL3NvAH9gTA=
X-Google-Smtp-Source: AGHT+IHJ4HS8s2ps4L8cSdEWy719kBuprvRLTZqc6QcHgQx/0LctQCNQHg7wXbKpkRVIBH8NR5grr/mvm+xoEIeDix8=
X-Received: by 2002:a17:906:abd0:b0:a62:e4d:8666 with SMTP id a640c23a62f3a-a65e8e562edmr41226066b.28.1717034723806; Wed, 29 May 2024 19:05:23 -0700 (PDT)
MIME-Version: 1.0
References: <171701017054.52762.15332933554163582477@ietfa.amsl.com> <BL0PR05MB53162C021627ADFC321DD094AEF22@BL0PR05MB5316.namprd05.prod.outlook.com> <CALx6S36DdhUimNdGMv0+Txyj6HxDe=j0oV_ytFVWfevNZjjkDw@mail.gmail.com>
In-Reply-To: <CALx6S36DdhUimNdGMv0+Txyj6HxDe=j0oV_ytFVWfevNZjjkDw@mail.gmail.com>
From: Mark Smith <markzzzsmith@gmail.com>
Date: Thu, 30 May 2024 12:04:56 +1000
Message-ID: <CAO42Z2wYbUpi4MvSHq3ZoBHfwrLGcHhTcZsoifrP3bxvTDFAHw@mail.gmail.com>
To: Tom Herbert <tom=40herbertland.com@dmarc.ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: MDPH5O33YOI4T3WUP6PZGBGVLL3SOE6C
X-Message-ID-Hash: MDPH5O33YOI4T3WUP6PZGBGVLL3SOE6C
X-MailFrom: markzzzsmith@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-ipv6.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Ron Bonica <rbonica=40juniper.net@dmarc.ietf.org>, The IESG <iesg@ietf.org>, "draft-ietf-6man-comp-rtg-hdr@ietf.org" <draft-ietf-6man-comp-rtg-hdr@ietf.org>, "6man-chairs@ietf.org" <6man-chairs@ietf.org>, "ipv6@ietf.org" <ipv6@ietf.org>, "bob.hinden@gmail.com" <bob.hinden@gmail.com>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [IPv6]Re: Éric Vyncke's Discuss on draft-ietf-6man-comp-rtg-hdr-08: (with DISCUSS and COMMENT)
List-Id: "IPv6 Maintenance Working Group (6man)" <ipv6.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/pKE1FpWj81eIKkMCXPEvFFlC9-E>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Owner: <mailto:ipv6-owner@ietf.org>
List-Post: <mailto:ipv6@ietf.org>
List-Subscribe: <mailto:ipv6-join@ietf.org>
List-Unsubscribe: <mailto:ipv6-leave@ietf.org>
Hi, On Thu, 30 May 2024 at 10:20, Tom Herbert <tom=40herbertland.com@dmarc.ietf.org> wrote: > > On Wed, May 29, 2024 at 4:23 PM Ron Bonica > <rbonica=40juniper.net@dmarc.ietf.org> wrote: > > <snip> > > ## Section 7 > > > > It is not clear to me why this document needs to make an allowance for > > intermediate nodes (sic) that verify transport layer checksums. Transport layer > > checksums are expected to be verified by the Transport layer endpoints and not > > in the network. So since when the Internet architecture has changed to take > > care of `it prevents intermediate nodes from verifying transport layer > > checksums`? Actual references are required for such statement. And, > > explanations should be given whether this "sentence" helps RFC 7258 pervasive > > monitoring perhaps in the security considerations section. > > > > [RB] Agree. I have deleted section 7. > > Ron, Eric, > > While the expectation may be that only endpoints will verify the > checksum, since it's in plain text there is nothing that prevents > intermediate nodes from processing it and potentially filtering bad > packets with bad checksums (similar to other non-standard cases of > devices doing Deep Packet Inspection and looking at TCP options or > other parts of transport layer headers). Also, I believe that could > break NAT? On a more programmatic side, snooping tools will report bad > L4 checksums in their output; this has been very useful in deployment > for debugging checksum failures (i.e. trying to figure out where the > error was introduced in the path). > > I don't immediately know of any other cases where the checksum would > be incorrect on the wire, so this is potentially breaking a > longstanding convention that falls under the be conservative in what > you send philosophy. IMO, at least documenting it is prudent. > As this issue only occurs for TCP, UDP and ICMPv6, and only occurs because those protocols' pseudoheader checksum is covering the CRH IPv6 header, I think the solution is to insert another IPv6 header between the outer CRH IPv6 header and the TCP, UDP or ICMPv6 payload, with the packet's originating SA and final DA. The TCP, UDP or ICMPv6 pseudoheader checksums would then only cover the new IPv6 header, and that IPv6 header would not be changed during transport over CRH. Middle boxes shouldn't be validating the TCP, UDP or ICMPv6 pseudoheaders in that case, as the new IPv6 header should hide those payloads from the middlebox. However, even if a middlebox did validate the pseudheader checksums, they would pass because the new IPv6 header isn't changed in flight over the CRH substrate. (An alternative perspective. CRH (and SRv6) are replacements for MPLS. TCP, UDP or ICMP were never "bare" or directly in MPLS, there was always an IP header in between the MPLS and TCP, UDP or ICMP headers, so there also should be for CRH and SRv6. MPLS is a data link layer protocol from the perspective of the network layer, and therefore so are CRH and SRv6.) Regards, Mark. > Tom > > > > > > > ## Section 11 > > > > While not a real DISCUSS criteria, I am really surprised to see an IPv4-like > > notation for CRH SID. > > > > [RB] Why not. IPv4-like is a convenient and familiar notation for 32-bit values. > > > > ## Section 12 > > > > As AH is end-to-end, intermediate nodes do not have the shared secret, hence > > `The CRH is not compatibile with AH processing at intermediate nodes.` is > > useless and confusing. Please remove. Very similar to the DISCUSS about section > > 7. > > > > [RB] Agree. I have removed that sentence. > > > > > > ---------------------------------------------------------------------- > > COMMENT: > > ---------------------------------------------------------------------- > > > > > > # COMMENTS (non-blocking) > > > > ## Abstract > > > > Can we really write `deployed` for an experimental I-D? > > > > [RB] The purpose of any IETF experiment is to demonstrate that something can be deployed. You nay want to deploy in a low-risk environment at first. But if you can't demonstrate deployability, why bother. > > > > ## Section 1 > > > > s/to its destination/to its destination(s)/ (think multicast/anycast). Twice in > > the section ;) > > > > [RB] Done > > > > > > > > Suggest to move the motivation to its own section. > > > > ## Section 3 > > > > Any recommendation on when to do `The first CRH SID in the path can be omitted > > from the list.`? > > > > What is the expected behavior of any CRH-aware router and final node(s) when > > `the Type- specific data field MUST be padded with zeros` is not respected ? > > > > ## Section 4 > > > > Can the IPv6 address in the CRH-FIB be a link-local or multicast or can only be > > a unicast ? Section 5 gives some more explanations, but an early one would be > > better. > > > > ## Section 5 > > > > The first bullet can probably be removed as it is the normal behavior of any > > IPv6 node per RFC 8200. > > > > `If Hdr Ext Len indicates that the CRH is larger than the implementation can > > process, ` suggest using code 6 per > > https://urldefense.com/v3/__https://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml*icmpv6-parameters-codes-5__;Iw!!NEt6yMaO-gk!DVJoms2WoGvxmxqkffXENdtHNjV3fbIs-eqSaGApHrZ_QLRG6sy7korNjjBzml5sJ7eFURmc25Y-TxM$ > > > > While wasting octets with too large CRH (i.e., larger than the minimum length) > > is a bad thing, does it deserve to discard the packet on transit ? Why not > > requesting the source to enforce this mimimum length? > > > > `If the search does not return a CRH-FIB entry` is the code 0 the most suitable > > code ? If not, why not creating one ? Or even using ICMPv6 code 1 'destination > > unreachable' ? > > > > `If Segments Left is greater than 0` this will always be the case per first > > bullet `If Segments Left equals 0` ;-) > > > > The reader will welcome a justification of `CRH-FIB entry contains a multicast > > address, discard the packet and`. > > > > ## Section 6 > > > > I guess that this is linked to RFC 4302 (AH), so, please state this clearly. > > > > ## Section 7 > > > > Is it about `Destination Address Transparency` or privacy ? > > > > ## Section 8 > > > > `Each CRH SID is processed by exactly one node.` isn't it rather "Each CRH SID > > is processed by exactly one CRH-configured router whose one address matches the > > packet destination address" ? > > > > ## Section 9 > > > > The title should rather be "operational considerations" > > > > What are the "representations described herein" in ` It is recommended that the > > experimental versions of PING use the text representations described herein` ? > > Is it about section 11 ? Then please add a forward reference. > > > > ## Section 10 > > > > This is the usual considerations about ICMP, please consider to remove this > > section. Or refer for section 5 of RFC 4443. > > > > ## Section 11 > > > > Beside the above semi-DISCUSS, please state that hexadecimal should be in lower > > case. > > > > ## Section 12 > > > > `The Source Address does not identify an interface on a trusted node.` is there > > any hint how this can be done ? How will it scale if all CRH-enabled router > > must know all the specific address of all trusted nodes ? The same scalability > > issue for `The ACL discards packets whose source address identifies an > > interface on a trusted node.` > > > > ## Section 13 > > > > If the Wireshark/tcpdump modifications (cited in section 9) are public, then > > references to code will be welcome. > > > > `Interoperability among these implementations has not yet been demonstrated.` > > should rather be in section 14 'experimental results' > > > > ## Section 14 > > > > I am indeed very curious to see the experimental result of > > ``` > > Mechanism used to populate the FIB > > Scale of deployment > > ``` > > even if the text states in one year after publication as an RFC, this work > > started back in 2019 and was adopted in 2023, do we already have some results ? > > > > What are the possible next steps as seen by the authors / 6MAN WG is the > > experiment is assumed to be successful ? And what are the criteria to declare a > > successful experiment ? > > > > # NITS (non-blocking / cosmetic) > > > > ## Section 12 > > > > s/This is becasue /This is because/ > > > > > > > > -------------------------------------------------------------------- > > IETF IPv6 working group mailing list > > ipv6@ietf.org > > Administrative Requests: > > -------------------------------------------------------------------- > > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > ipv6@ietf.org > Administrative Requests: > --------------------------------------------------------------------
- [IPv6]Éric Vyncke's Discuss on draft-ietf-6man-co… Éric Vyncke via Datatracker
- [IPv6]Re: Éric Vyncke's Discuss on draft-ietf-6ma… Ron Bonica
- [IPv6]Re: Éric Vyncke's Discuss on draft-ietf-6ma… Tom Herbert
- [IPv6]Re: Éric Vyncke's Discuss on draft-ietf-6ma… Ron Bonica
- [IPv6]Re: Éric Vyncke's Discuss on draft-ietf-6ma… Mark Smith
- [IPv6]Re: Éric Vyncke's Discuss on draft-ietf-6ma… Tom Herbert
- [IPv6]Re: Éric Vyncke's Discuss on draft-ietf-6ma… Eric Vyncke (evyncke)