IETF Logo Mail Archive

Re: Limited Domains:

Tony Przygienda <tonysietf@gmail.com> Mon, 19 April 2021 08:50 UTC

Return-Path: <tonysietf@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6053E3A2920; Mon, 19 Apr 2021 01:50:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.196
X-Spam-Level:
X-Spam-Status: No, score=-0.196 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9vVBIjWX74mT; Mon, 19 Apr 2021 01:50:02 -0700 (PDT)
Received: from mail-io1-xd31.google.com (mail-io1-xd31.google.com [IPv6:2607:f8b0:4864:20::d31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C89443A291E; Mon, 19 Apr 2021 01:50:01 -0700 (PDT)
Received: by mail-io1-xd31.google.com with SMTP id h141so25683943iof.2; Mon, 19 Apr 2021 01:50:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=pxvGXX1kicDL+qUWq/Ff3lZz/qyr+2CIzVXwbp/YxkA=; b=kkLl+g9QwzCX/QPoIZ9hhukkr9kAOcSHrA+TjvkpkVQyW3wrud4IEsFsZsEhp4Rd6f h024nd92l9CSufRH5J2iyxcewWtLMgrjHOwtA2JsV5EZSG5E0l3YmuakhDLJWobvgkms tnuepuuAixMqfsixBpRr7bkzCMhw6DsUULJim3BeHCnbVuVYtez1Cm9zHp9usQWH0Oej o6qEKkWjr7GBa90gx/yFpc1Qg2Bupd//OzqyrxRsEl5l4YLrPHXd9ux4JOCdUWNT2RR6 /Nftd6+1Zo+3SzGPqpS8rRKMrMLCfyz2PiSWptmz8V5E/VE/W5ms1hww2jXPyaTrq1d4 j5dw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=pxvGXX1kicDL+qUWq/Ff3lZz/qyr+2CIzVXwbp/YxkA=; b=bfZC6ImJm3OJnuKZ+CuRYrqkdRzwepGZfUk78wtqpHCaracumD4uprjwrOW0AgQqMQ 9j8FkbK2ae4240mkvSBa8gb6YAXTW82MFg01BR4Q1FS935pknPrlw3pf5naQ89eI4jGN 7tGb73McdQHYlO2MdfypCPRphDKAVZmbvXBlMiTmnAXMX5iZI1Bi2OMpMLNNCkySend6 YDDYcviw1gccAvPUVqacemqzLh16nx3gnXA/7QIAKM1hmtyCiPvw4a2lBcGBma7nHMP4 Ura5xBpo34+6zNOkSOYGTgcU6tH5I4jRnmYCJlqT3fmbKKM5OXz5swVgIV1n/2Kk/qc3 +p4Q==
X-Gm-Message-State: AOAM530mSPzACCAGXOVjs1g7Lqfuo4QElCRKyaZ3KTpPPvS7MNmrfdWJ WkkWgdz4zvtIk2l3pgjYHyqhRrGNwWQds1xbUkQ=
X-Google-Smtp-Source: ABdhPJwYCLqVJG9D/H8/evjSZ+rnkRKOiteMJObEXe6LoI7gP4Gsa20eatUGZiVNsF3Ww6qm8hSAZDFGRMZSwxRWWkI=
X-Received: by 2002:a5d:8b1a:: with SMTP id k26mr13840752ion.191.1618822200587; Mon, 19 Apr 2021 01:50:00 -0700 (PDT)
MIME-Version: 1.0
References: <8128f0b59e5c40538c42f1f60f19fad2@huawei.com> <CAO42Z2xpnK4pBpyhYArF_ncfFZrwNLrHy6rAMBpDtD5i_qX0-g@mail.gmail.com>
In-Reply-To: <CAO42Z2xpnK4pBpyhYArF_ncfFZrwNLrHy6rAMBpDtD5i_qX0-g@mail.gmail.com>
From: Tony Przygienda <tonysietf@gmail.com>
Date: Mon, 19 Apr 2021 10:49:24 +0200
Message-ID: <CA+wi2hP=FAoQbR07duahTJjfa4Wdsoj3MuQYq=9nHKwOfDr_BA@mail.gmail.com>
Subject: Re: Limited Domains:
To: Mark Smith <markzzzsmith@gmail.com>
Cc: Jiayihao <jiayihao@huawei.com>, draft-filsfils-6man-structured-flow-label@ietf.org, 6MAN <6man@ietf.org>, 6man WG <ipv6@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000038795605c04f6ace"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/srCxPF_yp_-ey7ff3qY08n5ju4g>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Apr 2021 08:50:07 -0000

+1

As simple exaple: I for myself saw the 255 TTL security "protection" that
was supposed to prevent "attack-from-multiple-hops away" happily running
away in a network on bugs in forwarding path more than once ;-)

So yes, either air-gap or define a "non-compatible species" gap as in new
protocol format/codepoint, everything else is sophism not supported by real
experience.

-- tony

On Sat, Apr 17, 2021 at 6:56 AM Mark Smith <markzzzsmith@gmail.com> wrote:

>
>
> On Sat, 17 Apr 2021, 13:45 Jiayihao, <jiayihao@huawei.com> wrote:
>
>> argument 1:
>>
>> > [Gyan Mishra] There are so many variables and variations and nuances
>> the idea of a “limited” or “closed” domain exists which could encompass all
>> sub domains and thus in some cases that limited domain may not see that
>> limited as it could be quite massive.
>>
>> >> [Brian] Limited domains exist for all kinds of reasons. Like it or not
>> (and some people don't like it), the current architecture of the Internet
>> includes thousands (probably millions) of limited domains.
>>
>>
>>
>> Yeah. Like it or not, limited domain is already a life of fact.
>>
>> One problem seems to be even we have define limited domain on RFC 8799,
>> but there seems ‘views vary from person to person’. In fact, every global
>> CDN network can be considered as a limited domain in general, Google WAN,
>> AWS WAN for example. And this is align with the definition of RFC8799.
>>
>> So generally speaking, even QUIC can be regarded as a limited domain
>> protocol philosophically.
>>
>>
>>
>>
>>
>
> Limited doesn't really exist if the domain talks the same protocol as
> adjacent domains, and there are possibilities that a packet can
> successfully escape one limited domain and successfully enter another.
>
> Implementation bugs, hardware failures, operator configuration error and
> default and aggregate routing create those possibilities.
>
> Packets with Link-Local source or destination addresses are supposed to
> have a limited forwarding domain limited to a link, yet we know packets
> with LLA source addresses leak off of links due to destination only
> forwarding implementations.
>
> In other words, there hasn't been 100% success at creating the simple
> limited domain of a link for LLA addressed packets, and that is supposed to
> be an implementation default and is an RFC requirement. Good luck when it
> depends on human operators to configure it.
>
> Truly limited domains can only be created in two ways:
>
> - A physical air gap
>
> -  The ingresses to all adjacent domains have no possibility of accepting
> and having any understanding of the local limited domain's packets if they
> escape (e.g. an MPLS network trying to send packets into adjacent domains
> that do not use MPLS at all).
>
> IPv6, being an internetworking protocol, is specifically designed to be an
> inter-domain protocol to facilitate internetworking networks and the hosts
> attached to them. Trying to use it as a limited domain protocol is
> fundamentally fighting against its design goals.
>
>
>
> argument 2:
>>
>> > [Manfredi (US), Albert E] My main view is, if the domain is truly
>> limited, firewalled or even air gapped, then what is the motivation to seek
>> approval in a standards body?
>>
>> >> [Brian] On that argument the SPRING WG should never have been
>> chartered and the 6MAN WG should never have approved RFC8754. Also, we
>> should never have defined diffserv in 1998. And NAT, of course, would be
>> excluded by definition, and RFC1918 from 1996 would need to be obsoleted.
>>
>>
>>
>> My point here is: it is not conflict.
>>
>> Protocol that works in a limited domain area like MPLS, SRv6 never
>> built/rely on the concept of Limited domain. On the contrary, limited
>> domain is a result of overall observation of the current technologies.
>>
>> So here comes to the reality: for every design that targeted for a
>> limited domain scope, once it is targeted and going to be standardized by
>> any SDO, then it will eventually to be adopted anywhere in the
>> Internet-wide area.
>>
>> So the result is: for every STANDARDIZED “proprietary” tech which
>> conceptually belongs to limited domain will actually be adopted in the
>> Internet wide (if the value is acknowledged).
>>
>>
>>
>>
>>
>> argument 3:
>>
>> > [Robert] And I fully understand why this is going on like this - to
>> make sure new features do not break existing IPv6 world ... it is just that
>> protecting something which technically is already addressed and keeping
>> innovation gated is IMO not the best strategy for networking.
>>
>> >> [Brian] Yes. That's exactly why I worked on RFC8799.
>>
>>
>>
>> Agree. One thing should care about as mentioned in RFC 8799 security
>> consideration: “a protocol intended for limited use may well be
>> inadvertently used on the open Internet, so limited use is not an excuse
>> for poor security.” As silicon technique evolved, old-fashion/obsolete
>> network design will be replaced by new design.
>>
>> Although consistency is quite important for IPv6 at this stage (which I
>> agree as well), IPv6 will eventually face challenges one day.
>>
>>
>>
>> -----------
>>
>> Only thing we have to pay attention for is: we hate the pain of IPv4 to
>> IPv6 upgrade, and we really don’t want such pain happened any more. I guess
>> this is most concerns that many of us worrying for.
>>
>>
>>
>> My2cents,
>>
>> Yihao Jia
>> --------------------------------------------------------------------
>> IETF IPv6 working group mailing list
>> ipv6@ietf.org
>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>> --------------------------------------------------------------------
>>
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
>

v2.23.0 | Report a Bug | By Email