IETF Logo Mail Archive

Re: [IPv6] Routing Headers and limited domains (Was Re: Adoption call for draft-bonica-6man-comp-rtg-hdr

Tom Herbert <tom@herbertland.com> Tue, 14 November 2023 19:45 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A464FC14F739 for <ipv6@ietfa.amsl.com>; Tue, 14 Nov 2023 11:45:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sLHPk4Sxk_pk for <ipv6@ietfa.amsl.com>; Tue, 14 Nov 2023 11:45:25 -0800 (PST)
Received: from mail-pj1-x1031.google.com (mail-pj1-x1031.google.com [IPv6:2607:f8b0:4864:20::1031]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D16A0C14CF15 for <ipv6@ietf.org>; Tue, 14 Nov 2023 11:45:20 -0800 (PST)
Received: by mail-pj1-x1031.google.com with SMTP id 98e67ed59e1d1-28014fed9efso5104313a91.0 for <ipv6@ietf.org>; Tue, 14 Nov 2023 11:45:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland.com; s=google; t=1699991120; x=1700595920; darn=ietf.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=UTZVSJzznvs///t85SJXVf+ZQD7/8laXtjP7ZtbHKbs=; b=FQdsG1Tp/eYUXUvw6o4Ek42dsewcZvnf4J7TN8bPwXUauw/gUOZcA/ZwYfN7kTxd/y BDy+t5VvXLT2+WLh3diXibnIGeh1waZ5X+0BDzcMARSipkaX1cuD5pL9n0GL33/5sbvg oZpAMIeITOYBGKHOTxfiIvnBBAR9hXtQJSCizd4JmDnYRH8d9kcmDqqCYS0jRNhumjcn uYF3o6sAOAC3pKZIS/MAkMSGHpORoqBl2eMFdPX/twYXEkAFT8HXWxyaOzpQItK8UPTJ 4jZQTvR+xb3jg52wYLhcXh2EO8JlDE4sav04sWF3gapDgLmnT4n4nLAzWlB/1udGgu0D wTVg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699991120; x=1700595920; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=UTZVSJzznvs///t85SJXVf+ZQD7/8laXtjP7ZtbHKbs=; b=nZbDX2OB7pBXwTMev5CNhM+zW72bCq9bmAz2QZbi42a51LxS2wQCtkUXo7MXEYxQn+ 1+CXrmsNmgU8pSOEukm38JOPQmHps1e16ZoGr6Cj8HP0nYms8kMCudYHWjH+M4bjM2ra V5ZLJpHYDPXk8QFri1olPBpjurzI/ZrApWHCeygnsvVlRfODWHTEIhAB3NYBeFtALu/S XzDfnq1LffXaDTx6DhQ38LBXwcFbzJrRINdAVM/1sYT8BkN6/G6H+oDlgLjW5NosFJ3M zXu6M0m3nVDryf0Geu3zyDfbW6l/y4+0NO6RqHOvY4jeSup7y+gO9Ll5h/zO9mA6Jpe/ tafg==
X-Gm-Message-State: AOJu0YylW7xTWzf8TdYy8m3irWESkuhxgXiu5224BuUgnGltTLwPEiTT XF7d/w9AsDDktpPV8pkRshk5gpRPjpw5PirGdbgnGg==
X-Google-Smtp-Source: AGHT+IGn/oqggZW/sr1B1aPV8yXb/wvQJbOpTAj/CfHv5T5ingPaLbuCaHJ8nmaIkwD7jllh7ODDtYCk8uUoamaEbBQ=
X-Received: by 2002:a17:90b:1d0a:b0:283:2932:e904 with SMTP id on10-20020a17090b1d0a00b002832932e904mr7868999pjb.2.1699991119983; Tue, 14 Nov 2023 11:45:19 -0800 (PST)
MIME-Version: 1.0
References: <CAFU7BARQLAS+w7kKUPSBgFacc5GXNAaJ97qkJg9VyjbhoNibcQ@mail.gmail.com> <CAMMESsysV1Oc3JyU058GRbUFfs18WEz16GKLcZX-waFo+hoN0w@mail.gmail.com> <BL0PR05MB5316B366B7B4A3C1D4AF4686AEA3A@BL0PR05MB5316.namprd05.prod.outlook.com> <CAMMESsxQj9hRS2HxHWK67EkR-=s-3Qor88+qGRzYFMnrJOR_qQ@mail.gmail.com> <BL0PR05MB53166A455E68541ED2586EC5AEA2A@BL0PR05MB5316.namprd05.prod.outlook.com> <CACMsEX-juiW5uOHze3j4zRnrG_Djn4S99hB=TJi3OgEiQz6QxA@mail.gmail.com> <CAO42Z2yR9Y_MszPuia3eS6zv2WJFiqb07juatp99bhbDO0kbxA@mail.gmail.com> <CAO42Z2y8e46hv0Cf49gHJnEimjrOg1dOwa2x36Zu77vBWzvdKw@mail.gmail.com> <f2150c48-480b-45a7-98a6-b2893ead8065@joelhalpern.com> <CALx6S37_2SAfOPsyKcXa6qKinAw_8tf7W_d5i8G86R2QEdck6Q@mail.gmail.com> <108bd733-5c66-4fb5-8224-fb2a1898ecc9@joelhalpern.com> <CALx6S37eJDJ1HpWrQOasOGqnVZyEDQYkmQxxjfpcHhykSUA1Bw@mail.gmail.com> <e45743ed-67bf-45a7-a60c-9dba2bb5de32@joelhalpern.com> <CALx6S374WuKBHodNCuPpZLe0g3BRLWsE9dANLDvidZPUca5C+w@mail.gmail.com> <744cd045-ee48-4829-bc6c-b36467c2acfd@joelhalpern.com> <CALx6S37SHG4Ut+8gsZW1UE-ykKpkj-wA8W1uiQEqFmdoqrkWAQ@mail.gmail.com> <CA+wi2hMzdxBr+_cX1ZQ_KTh9+5Y8990yKaFpCYBBzM3MR=WD+g@mail.gmail.com> <BYAPR05MB5318CBA978CB534F732A2F75AEA6A@BYAPR05MB5318.namprd05.prod.outlook.com> <CALx6S34gwEzVORC5tzD5vqQtooeBdm-LLAVnZxAPupH1Zo9_fQ@mail.gmail.com> <BL0PR05MB5316996FF10790A4BBCF15EFAEA5A@BL0PR05MB5316.namprd05.prod.outlook.com>
In-Reply-To: <BL0PR05MB5316996FF10790A4BBCF15EFAEA5A@BL0PR05MB5316.namprd05.prod.outlook.com>
From: Tom Herbert <tom@herbertland.com>
Date: Tue, 14 Nov 2023 11:45:07 -0800
Message-ID: <CALx6S35Di3CNg8EXNJGEO-sAYB3Y9_nAnrMUNAKjsBocom1P+g@mail.gmail.com>
To: Ron Bonica <rbonica@juniper.net>
Cc: Ron Bonica <rbonica=40juniper.net@dmarc.ietf.org>, Tony Przygienda <tonysietf@gmail.com>, Joel Halpern <jmh@joelhalpern.com>, 6man <ipv6@ietf.org>, "draft-bonica-6man-comp-rtg-hdr.authors@ietf.org" <draft-bonica-6man-comp-rtg-hdr.authors@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/qNeZNeAvXD6CXraNZxHbxdQmq-4>
Subject: Re: [IPv6] Routing Headers and limited domains (Was Re: Adoption call for draft-bonica-6man-comp-rtg-hdr
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Nov 2023 19:45:29 -0000

On Fri, Nov 3, 2023 at 12:56 PM Ron Bonica <rbonica@juniper.net> wrote:
>
> Hi Tom,
>
> Thanks for the review. Response inline[RB].
>
>                              Ron
>
>
> Juniper Business Use Only
> -----Original Message-----
> From: Tom Herbert <tom@herbertland.com>
> Sent: Wednesday, November 1, 2023 11:41 PM
> To: Ron Bonica <rbonica=40juniper.net@dmarc.ietf.org>
> Cc: Tony Przygienda <tonysietf@gmail.com>; Joel Halpern <jmh@joelhalpern.com>; 6man <ipv6@ietf.org>; draft-bonica-6man-comp-rtg-hdr.authors@ietf.org
> Subject: Re: [IPv6] Routing Headers and limited domains (Was Re: Adoption call for draft-bonica-6man-comp-rtg-hdr
>
> [External Email. Be cautious of content]
>
>
> On Wed, Nov 1, 2023 at 5:06 PM Ron Bonica <rbonica=40juniper.net@dmarc.ietf.org> wrote:
> >
> > Tony,
> >
> >
> >
> > Please do not confuse the CRH with SRv6 or SR. The CRH can be used on any IPv6 packet that doesn’t include another Routing Header type. It can be used in the absence of the SR control plane.
>
> Hi Ron,
>
> Just to clarify: Is it true that CRH is only an IPv6 routing header and doesn't require any modifications or considerations to IPv6 or any other protocols,
>
> [RB] True. The CRH is just another Routing Header and it is fully compliant with RFCs 4291 and 8200.
>
>  and that CRH will not need its own EtherType (i.e.
> CRH is IPv6 and conformant with RFC8200)?
>
> [RB] CRH does not required its own Ethertype.
>
> Also, at any given point in a packet's lifetime, can the final destination address of the packet be unambiguously determined just by inspecting the packet with CRH without needing any external context?
>
> [RB] No. The CRH contains a list of 2 or 4 byte Segment Identifiers. These are not to be confused with SRv6 SIDS. They are different. The only reason they are called SIDs is because all Routing Headers contain a field called "Segments Left".
>
> [RB] The final SID references a CRH-FIB entry that needs to exist only on the node that processes that SID. The CRH-FIB entry maps the SID to a real, RFC 4291, IPv6 address.
>
> And if any intermediate node were to try to validate a transport layer checksum with a pseudo header in flight for packets with a CRH, would it yield the same result (valid/invalid csum) as the final destination will get (I assume if the final destination can be derived from the packet the answer should be yes).
>
> [RB] No, it would not. The transport layer always uses the ultimate destination address to calculate the pseudo-header checksum. Intermediate nodes would have no way to determine the ultimate destination address because a) they probably do not recognize the CRH and b) even if they do recognize the CRH, they probably wouldn’t have the CRH-FIB entry required to determine the ultimate destination address.
>
> [RB] This issue isn’t unique to the CRH. Think about any other unrecognized Routing Header type, or even the SRv6 uSID.

Hi Ron,

>From RFC8200: "If the IPv6 packet contains a Routing header, the
Destination Address used in the pseudo-header is that of the final
destination."

I believe for all the currently defined routing headers, including
SRv6, the final destination can be derived from the routing header
without requiring any external state. If someone captures a pcap file
we should be able to parse the routing header to get the final
destination address and use that for checksum verification. The real
final destination is also needed to identify what flows packets belong
to. These are useful at least for diagnostics and debugging, but could
be used operationally in some scenarios.

If the last segment is a compressed SID that requires an external
state like CRH-FIB to decompress then we can no longer deduce the
final destination by just inspecting the packet. To me this is a loss
of useful functionality. It would be nice if we could retain this.
Maybe the last entry could be compressed in such a way that it doesn't
require an external state to decompress? (like RPL maybe?).

While the loss of the ability to determine the final address creates
some problems, it is at least manageable since we can identify packets
where the final destination cannot be deduced based on the presence of
Routing Headers in the packet with certain types.  The case that a
compressed SID is used in the Destination Address without a Routing
Header (like in draft-ietf-spring-srv6-srh-compression) is more
problematic. If this is deployed in a network then there will start to
be many packets with bad checksums detected when packets are traced at
routers. Since there's no routing header, there is no way to tell
without external information if these are truly bad checksums or not,
so debugging bad checksums in the network would be next to impossible.
A solution to that would be to update the transport layer checksum
updated each time the Destination Address changes following standard
procedures for NAT. That would at least address the inflight checksum
verification problem, but still the final destination is obfuscated
for flow identification.

>
> [RB] We also have to ask why an intermediate node might check the transport-layer checksum. A garden-variety router would not. However, some middleboxes might. Those middleboxes would break on any unrecognized Routing Header Type.

Yes, some middleboxes will try to validate transport layer checksums.
This is also needed for debugging and diagnostics. For instance, if a
host is receiving packets from some destination the operator will want
to identify where in the path the bad checksums are being introduced.
If we get a packet trace from some router and all the packets are
reported to have a bad checksum then that's not very useful.

>
> [RB] We have observed some middleboxes that, having detected an incorrect checksum, correct it. In my opinion, this behavior is hideous. It assumes that an incorrect checksum is *never* caused by packet corruption. This is a pretty dangerous assumption.

Yes, that is bad, non-standard behavior.

Tom

>
>                                                                    Ron
>
>
> Tom
>
> >
> >
> >
> >
> > Ron
> >
> >
> >
> >
> > Juniper Business Use Only
> >
> > From: Tony Przygienda <tonysietf@gmail.com>
> > Sent: Tuesday, October 31, 2023 3:54 PM
> > To: Tom Herbert <tom=40herbertland.com@dmarc.ietf.org>
> > Cc: Joel Halpern <jmh@joelhalpern.com>; 6man <ipv6@ietf.org>;
> > draft-bonica-6man-comp-rtg-hdr.authors@ietf.org
> > Subject: Re: [IPv6] Routing Headers and limited domains (Was Re:
> > Adoption call for draft-bonica-6man-comp-rtg-hdr
> >
> >
> >
> > [External Email. Be cautious of content]
> >
> >
> >
> >
> >
> >
> >
> > On Tue, Oct 31, 2023 at 5:47 PM Tom Herbert <tom=40herbertland.com@dmarc.ietf.org> wrote:
> >
> > On Mon, Oct 30, 2023 at 6:33 PM Joel Halpern <jmh@joelhalpern.com> wrote:
> > >
> > > Maybe I am dense, but I have trouble seeing how a node could have enough information to compose a useful CRH source route, and not have enough information to know where the relevant decapsulator is.  The most obvious candidate would be simply to decapsulate at the last entry in the source route.  it doesn't matter if that is (as is likely) not actually the egress.
> >
> > Hi Joel,
> >
> > Yes, that would probably be the most obvious candidate, and it's also
> > a candidate for removing the RH. Once segments left is zero, the
> > routing header is not operationally relevant to any downstream nodes.
> >
> > But even if that were the obvious choice for an encapsulation, I still
> > don't see how the source could know when to encapsulate and when not
> > to. A possible solution might be to tunnel all packets, but then
> > that's a lot of per packet overhead especially if most packets never
> > actually leave the limited domain.
> >
> > More generally, constraining protocols like routing header to a
> > limited domain is required and it's clear that *something* needs to
> > happen at edge routers of the limited domain.
> > draft-raviolli-intarea-trusted-domain-srv6 has a good description of
> > the problem. That's focused on SR, but other routing headers like CRH,
> > and other use cases of extension headers also have similar
> > requirements-- I would hope that there might be a general solution to
> > limiting protocol to limited domains (IMO, a new Ethertype like
> > described in that draft isn't the best solution and is likely to
> > create a set of new problems)
> >
> >
> >
> > can you be more specific here? seemed to have worked for mpls like a charm, for a very long time, at a very large scale ... and to differentiate v4 from v6 and many, many other use cases where it was necessary to quickly deploy a domain boundary ...
> >
> >
> >
> > Unless we have a clear, simple demarcation on the packet we end up building basically a stateful firewall by deep inspection or state-tying-together magic. one can afford that at L4 throughputs (at high cost) but the game is very different with the L3 or L2.5 economics as they are today.  As long CRH is mandatory on _every_ SRv6 packet, ok, it's bit deep to parse into but maybe somewhat workable, without, it eludes me how to build a simple, economical, non-stateful solution to delineate a possible SRv6 injection attack surface distinguishable from normal v6 forwarding unless a new ethertype is required.
> >
> >
> >
> > -- tony
> >
> >
> >
> > --------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email