Re: Limited Domains:
Tony Przygienda <tonysietf@gmail.com> Mon, 19 April 2021 08:50 UTC
Return-Path: <tonysietf@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6053E3A2920; Mon, 19 Apr 2021 01:50:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.196
X-Spam-Level:
X-Spam-Status: No, score=-0.196 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9vVBIjWX74mT; Mon, 19 Apr 2021 01:50:02 -0700 (PDT)
Received: from mail-io1-xd31.google.com (mail-io1-xd31.google.com [IPv6:2607:f8b0:4864:20::d31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C89443A291E; Mon, 19 Apr 2021 01:50:01 -0700 (PDT)
Received: by mail-io1-xd31.google.com with SMTP id h141so25683943iof.2; Mon, 19 Apr 2021 01:50:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=pxvGXX1kicDL+qUWq/Ff3lZz/qyr+2CIzVXwbp/YxkA=; b=kkLl+g9QwzCX/QPoIZ9hhukkr9kAOcSHrA+TjvkpkVQyW3wrud4IEsFsZsEhp4Rd6f h024nd92l9CSufRH5J2iyxcewWtLMgrjHOwtA2JsV5EZSG5E0l3YmuakhDLJWobvgkms tnuepuuAixMqfsixBpRr7bkzCMhw6DsUULJim3BeHCnbVuVYtez1Cm9zHp9usQWH0Oej o6qEKkWjr7GBa90gx/yFpc1Qg2Bupd//OzqyrxRsEl5l4YLrPHXd9ux4JOCdUWNT2RR6 /Nftd6+1Zo+3SzGPqpS8rRKMrMLCfyz2PiSWptmz8V5E/VE/W5ms1hww2jXPyaTrq1d4 j5dw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=pxvGXX1kicDL+qUWq/Ff3lZz/qyr+2CIzVXwbp/YxkA=; b=bfZC6ImJm3OJnuKZ+CuRYrqkdRzwepGZfUk78wtqpHCaracumD4uprjwrOW0AgQqMQ 9j8FkbK2ae4240mkvSBa8gb6YAXTW82MFg01BR4Q1FS935pknPrlw3pf5naQ89eI4jGN 7tGb73McdQHYlO2MdfypCPRphDKAVZmbvXBlMiTmnAXMX5iZI1Bi2OMpMLNNCkySend6 YDDYcviw1gccAvPUVqacemqzLh16nx3gnXA/7QIAKM1hmtyCiPvw4a2lBcGBma7nHMP4 Ura5xBpo34+6zNOkSOYGTgcU6tH5I4jRnmYCJlqT3fmbKKM5OXz5swVgIV1n/2Kk/qc3 +p4Q==
X-Gm-Message-State: AOAM530mSPzACCAGXOVjs1g7Lqfuo4QElCRKyaZ3KTpPPvS7MNmrfdWJ WkkWgdz4zvtIk2l3pgjYHyqhRrGNwWQds1xbUkQ=
X-Google-Smtp-Source: ABdhPJwYCLqVJG9D/H8/evjSZ+rnkRKOiteMJObEXe6LoI7gP4Gsa20eatUGZiVNsF3Ww6qm8hSAZDFGRMZSwxRWWkI=
X-Received: by 2002:a5d:8b1a:: with SMTP id k26mr13840752ion.191.1618822200587; Mon, 19 Apr 2021 01:50:00 -0700 (PDT)
MIME-Version: 1.0
References: <8128f0b59e5c40538c42f1f60f19fad2@huawei.com> <CAO42Z2xpnK4pBpyhYArF_ncfFZrwNLrHy6rAMBpDtD5i_qX0-g@mail.gmail.com>
In-Reply-To: <CAO42Z2xpnK4pBpyhYArF_ncfFZrwNLrHy6rAMBpDtD5i_qX0-g@mail.gmail.com>
From: Tony Przygienda <tonysietf@gmail.com>
Date: Mon, 19 Apr 2021 10:49:24 +0200
Message-ID: <CA+wi2hP=FAoQbR07duahTJjfa4Wdsoj3MuQYq=9nHKwOfDr_BA@mail.gmail.com>
Subject: Re: Limited Domains:
To: Mark Smith <markzzzsmith@gmail.com>
Cc: Jiayihao <jiayihao@huawei.com>, draft-filsfils-6man-structured-flow-label@ietf.org, 6MAN <6man@ietf.org>, 6man WG <ipv6@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000038795605c04f6ace"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/srCxPF_yp_-ey7ff3qY08n5ju4g>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Apr 2021 08:50:07 -0000
+1 As simple exaple: I for myself saw the 255 TTL security "protection" that was supposed to prevent "attack-from-multiple-hops away" happily running away in a network on bugs in forwarding path more than once ;-) So yes, either air-gap or define a "non-compatible species" gap as in new protocol format/codepoint, everything else is sophism not supported by real experience. -- tony On Sat, Apr 17, 2021 at 6:56 AM Mark Smith <markzzzsmith@gmail.com> wrote: > > > On Sat, 17 Apr 2021, 13:45 Jiayihao, <jiayihao@huawei.com> wrote: > >> argument 1: >> >> > [Gyan Mishra] There are so many variables and variations and nuances >> the idea of a “limited” or “closed” domain exists which could encompass all >> sub domains and thus in some cases that limited domain may not see that >> limited as it could be quite massive. >> >> >> [Brian] Limited domains exist for all kinds of reasons. Like it or not >> (and some people don't like it), the current architecture of the Internet >> includes thousands (probably millions) of limited domains. >> >> >> >> Yeah. Like it or not, limited domain is already a life of fact. >> >> One problem seems to be even we have define limited domain on RFC 8799, >> but there seems ‘views vary from person to person’. In fact, every global >> CDN network can be considered as a limited domain in general, Google WAN, >> AWS WAN for example. And this is align with the definition of RFC8799. >> >> So generally speaking, even QUIC can be regarded as a limited domain >> protocol philosophically. >> >> >> >> >> > > Limited doesn't really exist if the domain talks the same protocol as > adjacent domains, and there are possibilities that a packet can > successfully escape one limited domain and successfully enter another. > > Implementation bugs, hardware failures, operator configuration error and > default and aggregate routing create those possibilities. > > Packets with Link-Local source or destination addresses are supposed to > have a limited forwarding domain limited to a link, yet we know packets > with LLA source addresses leak off of links due to destination only > forwarding implementations. > > In other words, there hasn't been 100% success at creating the simple > limited domain of a link for LLA addressed packets, and that is supposed to > be an implementation default and is an RFC requirement. Good luck when it > depends on human operators to configure it. > > Truly limited domains can only be created in two ways: > > - A physical air gap > > - The ingresses to all adjacent domains have no possibility of accepting > and having any understanding of the local limited domain's packets if they > escape (e.g. an MPLS network trying to send packets into adjacent domains > that do not use MPLS at all). > > IPv6, being an internetworking protocol, is specifically designed to be an > inter-domain protocol to facilitate internetworking networks and the hosts > attached to them. Trying to use it as a limited domain protocol is > fundamentally fighting against its design goals. > > > > argument 2: >> >> > [Manfredi (US), Albert E] My main view is, if the domain is truly >> limited, firewalled or even air gapped, then what is the motivation to seek >> approval in a standards body? >> >> >> [Brian] On that argument the SPRING WG should never have been >> chartered and the 6MAN WG should never have approved RFC8754. Also, we >> should never have defined diffserv in 1998. And NAT, of course, would be >> excluded by definition, and RFC1918 from 1996 would need to be obsoleted. >> >> >> >> My point here is: it is not conflict. >> >> Protocol that works in a limited domain area like MPLS, SRv6 never >> built/rely on the concept of Limited domain. On the contrary, limited >> domain is a result of overall observation of the current technologies. >> >> So here comes to the reality: for every design that targeted for a >> limited domain scope, once it is targeted and going to be standardized by >> any SDO, then it will eventually to be adopted anywhere in the >> Internet-wide area. >> >> So the result is: for every STANDARDIZED “proprietary” tech which >> conceptually belongs to limited domain will actually be adopted in the >> Internet wide (if the value is acknowledged). >> >> >> >> >> >> argument 3: >> >> > [Robert] And I fully understand why this is going on like this - to >> make sure new features do not break existing IPv6 world ... it is just that >> protecting something which technically is already addressed and keeping >> innovation gated is IMO not the best strategy for networking. >> >> >> [Brian] Yes. That's exactly why I worked on RFC8799. >> >> >> >> Agree. One thing should care about as mentioned in RFC 8799 security >> consideration: “a protocol intended for limited use may well be >> inadvertently used on the open Internet, so limited use is not an excuse >> for poor security.” As silicon technique evolved, old-fashion/obsolete >> network design will be replaced by new design. >> >> Although consistency is quite important for IPv6 at this stage (which I >> agree as well), IPv6 will eventually face challenges one day. >> >> >> >> ----------- >> >> Only thing we have to pay attention for is: we hate the pain of IPv4 to >> IPv6 upgrade, and we really don’t want such pain happened any more. I guess >> this is most concerns that many of us worrying for. >> >> >> >> My2cents, >> >> Yihao Jia >> -------------------------------------------------------------------- >> IETF IPv6 working group mailing list >> ipv6@ietf.org >> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 >> -------------------------------------------------------------------- >> > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > ipv6@ietf.org > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > -------------------------------------------------------------------- >
- Limited Domains: (was: I-D Action: draft-filsfils… Ron Bonica
- Re: Limited Domains: (was: I-D Action: draft-fils… Toerless Eckert
- Re: Limited Domains: (was: I-D Action: draft-fils… Tom Herbert
- Re: Limited Domains: (was: I-D Action: draft-fils… Toerless Eckert
- RE: Limited Domains: (was: I-D Action: draft-fils… Ron Bonica
- Re: Limited Domains: (was: I-D Action: draft-fils… Tom Herbert
- Re: Limited Domains: (was: I-D Action: draft-fils… Fred Baker
- Re: Limited Domains: (was: I-D Action: draft-fils… Toerless Eckert
- Re: Limited Domains: (was: I-D Action: draft-fils… Toerless Eckert
- Re: Limited Domains: (was: I-D Action: draft-fils… Tom Herbert
- Re: Limited Domains: Brian E Carpenter
- Re: Limited Domains: (was: I-D Action: draft-fils… Toerless Eckert
- Re: Limited Domains: (was: I-D Action: draft-fils… Brian E Carpenter
- Re: Limited Domains: (was: I-D Action: draft-fils… Fred Baker
- RE: [EXTERNAL] Re: Limited Domains: (was: I-D Act… Manfredi (US), Albert E
- Re: Limited Domains: Brian E Carpenter
- Re: Limited Domains: Tom Herbert
- Re: Limited Domains: Brian E Carpenter
- Re: Limited Domains: Gyan Mishra
- Re: Limited Domains: (was: I-D Action: draft-fils… Mark Smith
- Re: Limited Domains: Tony Przygienda
- Re: Limited Domains: Ahmed Abdelsalam (ahabdels)
- Re: Limited Domains: Nick Hilliard
- Re: Limited Domains: Ahmed Abdelsalam (ahabdels)
- Re: Limited Domains: Nick Hilliard
- Re: Limited Domains: Tom Herbert
- Re: Limited Domains: Toerless Eckert
- Re: Limited Domains: Brian E Carpenter
- Re: Limited Domains: Stewart Bryant
- Re: Limited Domains: Brian E Carpenter
- Re: Limited Domains: Toerless Eckert
- Re: Limited Domains: Nick Hilliard
- Re: Limited Domains: Toerless Eckert
- Re: Limited Domains: Jiayihao
- Re: Limited Domains: Robert Raszuk
- RE: [EXTERNAL] Re: Limited Domains: Manfredi (US), Albert E
- Re: Limited Domains: Brian E Carpenter
- Re: [EXTERNAL] Re: Limited Domains: Robert Raszuk
- Re: [EXTERNAL] Re: Limited Domains: Gyan Mishra
- Re: [EXTERNAL] Re: Limited Domains: Tom Herbert
- Re: [EXTERNAL] Re: Limited Domains: Brian E Carpenter
- Re: Limited Domains: - and field reinterpretation Joel M. Halpern
- Re: [EXTERNAL] Re: Limited Domains: Robert Raszuk
- Re: [EXTERNAL] Re: Limited Domains: Toerless Eckert
- Re: [EXTERNAL] Re: Limited Domains: Toerless Eckert
- Re: [EXTERNAL] Re: Limited Domains: Brian E Carpenter
- Re: Limited Domains: Jiayihao
- Re: Limited Domains: Mark Smith
- Re: Limited Domains: Tony Przygienda
- Re: Limited Domains: Toerless Eckert
- Re: Limited Domains: Nick Hilliard
- Re: Limited Domains: Tony Przygienda
- Re: Limited Domains: Nick Hilliard
- Re: Limited Domains: Toerless Eckert
- Re: Limited Domains: Tom Herbert
- RE: Limited Domains: Dirk Trossen
- Re: Limited Domains: Tom Herbert
- Re: Limited Domains: Toerless Eckert