Re: I-D Action: draft-vyncke-6man-segment-routing-security-00.txt
Brian E Carpenter <brian.e.carpenter@gmail.com> Fri, 11 July 2014 03:30 UTC
Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F8671A028B for <ipv6@ietfa.amsl.com>; Thu, 10 Jul 2014 20:30:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qNfhn5QKA623 for <ipv6@ietfa.amsl.com>; Thu, 10 Jul 2014 20:30:42 -0700 (PDT)
Received: from mail-pd0-x22d.google.com (mail-pd0-x22d.google.com [IPv6:2607:f8b0:400e:c02::22d]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5ECE31B29AB for <ipv6@ietf.org>; Thu, 10 Jul 2014 20:30:40 -0700 (PDT)
Received: by mail-pd0-f173.google.com with SMTP id r10so625610pdi.18 for <ipv6@ietf.org>; Thu, 10 Jul 2014 20:30:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:organization:user-agent:mime-version:to :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=LtvkjlRweBZ1zcbrFE37XO0g2qr9kf1E+0Aj81f/8dE=; b=UIqUkj8W7W8SdxTKJpMoIj+Am2zvmXfa0s6K6SymyDmXlpapjge0D6JaJa4eNEA57a nl4OsWOxvITqNaOWlklUY3Hq1V94mggs9rkezUL3TR9dfH/6VU6tac7LaEQWTgBo3T/6 NfiB0l/LRytWk+L6Us5klc0FGGWQKeEzLvDczYCUP/zuS8E/W5wF7edYiUBXY76GYQlA nD9ksVyMquCEWjt1vlflzhJoXOIf3G9u8nR+3TBlCtPeaEUCb0SpWke19QWMsz8M56JS LEc/n57xZ0OtuL13n9OcLbH3bI65FABMCG7Lecd6BkyXvuIEBQaDCSwMyDrPxGwe+yjp df6A==
X-Received: by 10.66.136.131 with SMTP id qa3mr50578798pab.77.1405049439930; Thu, 10 Jul 2014 20:30:39 -0700 (PDT)
Received: from [192.168.178.23] (22.198.69.111.dynamic.snap.net.nz. [111.69.198.22]) by mx.google.com with ESMTPSA id jt7sm704085pbc.46.2014.07.10.20.30.37 for <ipv6@ietf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 10 Jul 2014 20:30:38 -0700 (PDT)
Message-ID: <53BF5A67.7050401@gmail.com>
Date: Fri, 11 Jul 2014 15:30:47 +1200
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: 6man <ipv6@ietf.org>
Subject: Re: I-D Action: draft-vyncke-6man-segment-routing-security-00.txt
References: <20140703134709.19452.78442.idtracker@ietfa.amsl.com>
In-Reply-To: <20140703134709.19452.78442.idtracker@ietfa.amsl.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/ipv6/qvnoo2G8ZkheX1w6Z51UjH2JN04
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Jul 2014 03:30:43 -0000
Hi, This draft says: > The SRH is simply another version of the routing header as described > in [RFC2460] and is: > > o inserted when entering the segment routing domain which could be > done by a node or by a router; There is no provision for routers to insert headers in an IPv6 packet, because this changes the packet size (and the payload length) and therefore breaks PMTU mechanisms. Only the host that originates a packet can insert headers. It seems that draft-previdi-6man-segment-routing-header-01 has the same problem. It says: > When creating the SRH (either at ingress node or in the SDN > controller) the following is done: > > Next Header and Hdr Ext Len fields are set according to [RFC2460]. > > Routing Type field is set as TBD (SRH). > > The DA of the packet is set with the address of the FIRST segment > of the path. (etc.) These are operations that can only be done by the host that creates the IPv6 packet, which is also the only place that a fragment header can be included if needed. As I understand it, the "ingress node" is a router, not the originating host. So this seems to be broken. Brian
- Re: I-D Action: draft-vyncke-6man-segment-routing… Brian E Carpenter
- Re: I-D Action: draft-vyncke-6man-segment-routing… Eric Vyncke (evyncke)
- Re: I-D Action: draft-vyncke-6man-segment-routing… Stefano Previdi (sprevidi)
- Re: I-D Action: draft-vyncke-6man-segment-routing… Brian E Carpenter