IETF Logo Mail Archive

RE: Segment Routing Drafts

Ron Bonica <rbonica@juniper.net> Wed, 06 March 2019 20:23 UTC

Return-Path: <rbonica@juniper.net>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6174D130F2C for <ipv6@ietfa.amsl.com>; Wed, 6 Mar 2019 12:23:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.233
X-Spam-Level:
X-Spam-Status: No, score=-1.233 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, KHOP_DYNAMIC=1.468, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2Z6wkLDuE8eb for <ipv6@ietfa.amsl.com>; Wed, 6 Mar 2019 12:23:24 -0800 (PST)
Received: from mx0a-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 18875130DC8 for <ipv6@ietf.org>; Wed, 6 Mar 2019 12:23:24 -0800 (PST)
Received: from pps.filterd (m0108158.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x26KJT6H014583; Wed, 6 Mar 2019 12:23:23 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=PPS1017; bh=enZUwFkBgv8mpEmNoBrJ/ISpZfIXul22FxN6unItya8=; b=LDe0EC8hpbpcAfxa/f9hRnMI5nJQNCJxwgSSI+EAqP2gztZLnUxnhn7PnAs6aZxgvx81 T8ZAw2uiopS+PD/dFDpri3mK4qbE2BkYPNqg4QnPZYJAkPHocNtI6Zp6N7mYyRWjOhze yKsvOx5YZSGeVuFfVTMEGgsEhBbaxAnTOvnPsTKyNkTmcUraLBKNt4D7dM3hZzNOd8ZC pLambKEt8cDEvTlcW48OOjBSd191lCKrxa6Z4zmGE5qS/zL4gpA9qgFg1PNSfEGG4Y8k HEp3EMZB5W1Gp8HmSjRKfS4ht3UdeXbAhraCWcEk6dWqyfmK1mja/vmKRv1+VRGzuui+ dg==
Received: from nam05-dm3-obe.outbound.protection.outlook.com (mail-dm3nam05lp2050.outbound.protection.outlook.com [104.47.49.50]) by mx0a-00273201.pphosted.com with ESMTP id 2r2j740aa8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Wed, 06 Mar 2019 12:23:22 -0800
Received: from BYAPR05MB4245.namprd05.prod.outlook.com (20.176.252.26) by BYAPR05MB6549.namprd05.prod.outlook.com (20.178.234.75) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1686.11; Wed, 6 Mar 2019 20:23:20 +0000
Received: from BYAPR05MB4245.namprd05.prod.outlook.com ([fe80::3937:23f4:f61c:a2f8]) by BYAPR05MB4245.namprd05.prod.outlook.com ([fe80::3937:23f4:f61c:a2f8%5]) with mapi id 15.20.1686.015; Wed, 6 Mar 2019 20:23:20 +0000
From: Ron Bonica <rbonica@juniper.net>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>, Fred Baker <fredbaker.ietf@gmail.com>
CC: IPv6 List <ipv6@ietf.org>
Subject: RE: Segment Routing Drafts
Thread-Topic: Segment Routing Drafts
Thread-Index: AdTPHHL7zIt/GfFUSqCpr/o691l9fQBYUu+AAAQXaAAA8tEnIA==
Date: Wed, 06 Mar 2019 20:23:20 +0000
Message-ID: <BYAPR05MB4245B33085E23BD17F6A04A4AE730@BYAPR05MB4245.namprd05.prod.outlook.com>
References: <BYAPR05MB424560001F76E403A33B94E7AE750@BYAPR05MB4245.namprd05.prod.outlook.com> <341A6C5C-3670-4C8F-A8CA-C80182AC1F3C@gmail.com> <7dffddcd-a810-764e-3929-01d7b400c410@gmail.com>
In-Reply-To: <7dffddcd-a810-764e-3929-01d7b400c410@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.1.100.23
dlp-reaction: no-action
x-originating-ip: [66.129.241.11]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 90adb047-2099-48e1-3da6-08d6a271934f
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(4618075)(2017052603328)(7153060)(7193020); SRVR:BYAPR05MB6549;
x-ms-traffictypediagnostic: BYAPR05MB6549:
x-ms-exchange-purlcount: 2
x-microsoft-exchange-diagnostics: 1;BYAPR05MB6549;23:ccAiWHqNEgMSvWF2ROImCwf8SOZm5cekyZOhsgmPwcWnEwJbI/7td6LH3d89AyLG46Vlaq/Oh0FiV32BQxT8QrqRN2LISynyaR4mwYR0TkkoSLpWmuaMJ1q1rGnWyNmnElnmUFKmNdLUCZrH0ihCg4mH9x/O8ikOab8NZpOx/GNX6DXH66OCTgLPv1Fe4DAVd7PE2M5VbQocvCaqt5bDrN5gHYULIVWO67RUqDYMBs8BwvjZDzqtenqdHoYo93heSxSM34S8As0DkJMOBLhk60jXGD1tllEp1mzbNC/IHpqq3h+LLkTctHaunk/dGgrBWd/BX6PRsHSF76FstmdFkKu6gA1o5DEbgztZzbHK4x9NkRPnzDEnmyJf4woOfZtCikiMUJCunfT1czqS9Xs99vpSYlC1cuG+omFuaLra77nICFRw+ryJsWQItoGj5Z5UBK0CzhIk201BWznyxhJFfsTCQc2NtvC0SRgBShydiY3IDUs/O02dPiQsCweP0P0G/rBfOviqKAKwtNMXqniCgGI7NZNFmXO8eSOki4sWbHYan2mX4CDi5WsBPk3k5PwNmTh3KDYmJ30gLd/OODr3+oZhD9js3RwdTIm1uy/b/Tt8t7KW3tIeBQV8FjF8Fj2+Sc1XDg7b5ajljMcYGMHCfZ2RNfyBXy1DDtWVAXNNR99fEyAaIdiA0ELJUT8vdqBEGx1HmbJ7AlKU2b2dGVdeXd6SY5hWXm+/D0ZjID7C8ZqUmRxXQUx6QrrKjXCNSkKTyqVoeD8V5Qd5BolvBpCHSucxa6rOpnkdxQx7rALBKCr+XzKP9zas0sMzW+FeBFkVliVDbgyH4VztnbzsYi/NRJ3TEFsamsU2EQNVqjpfIXtvRQdWpqJrI6f74PWnLKC89TfRZLvJQ4Xoc0mT1z0E9zclaIITbUnpZkwIj3zkGuE0kCVLy1uNuqr/5JGiCbtaYv1s9DDon4eksAcBt7fg7v+wJL0un+lW34wSyUNOExWdzwgIFxY4l1FwMwWvFzLICDBRG1Ll+yZvkF0LpHaWWAPhX9NVu+4oj1swKsIwklMb2xSVnyQxcqo/QGW/OcI3TVEEczx9TYyJx8Zd9o/Ri+5YrNRT2OX+ltOUgSjahHNAeLnm8NoztiC/Z7faRPfSF6sXgNoeqyscjHoahB12ooZIkSvNVsRIZKREy6hiAVn3utWHMrRME2lcyhFv8e3GIypUXe/BIyJahDZft39lZugud7Nj4a9zIrMmeoJSKTSSE9CZwsKOyyhsSOy2C1OtMBns3W4nPqOD8MgZUeU5R4gFCbkZ86S5Ir3dWhAePt1kjjFCVrdU6y4TtlI9jigcxzwk4gCsF+sjDNafzDSeorxEjhmKD73MY0m/24rrVUNgO2sbYBQPRBIqvm2YV5pF
x-microsoft-antispam-prvs: <BYAPR05MB65495B51A3020DE9BD155ACCAE730@BYAPR05MB6549.namprd05.prod.outlook.com>
x-forefront-prvs: 0968D37274
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(376002)(136003)(366004)(39860400002)(396003)(51914003)(13464003)(189003)(199004)(6246003)(81166006)(66066001)(966005)(106356001)(316002)(19627235002)(14454004)(256004)(81156014)(110136005)(33656002)(26005)(486006)(7696005)(5660300002)(8676002)(11346002)(8936002)(476003)(186003)(478600001)(102836004)(97736004)(6506007)(53546011)(99286004)(446003)(52536013)(14444005)(305945005)(7736002)(76176011)(7116003)(71200400001)(71190400001)(6436002)(3480700005)(229853002)(6346003)(74316002)(105586002)(86362001)(4326008)(55016002)(2906002)(9686003)(6306002)(6116002)(3846002)(25786009)(68736007)(53936002); DIR:OUT; SFP:1102; SCL:1; SRVR:BYAPR05MB6549; H:BYAPR05MB4245.namprd05.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: nOWl/hkYyMYstwV7BVJm2xtBsrT9urDKrRGw96STuIwe0pUNjks3S8ez/ulwoVpW7ornYqMb7SNsICpj30lipzt9AFkQ6giedrptxJvU+bPN7cpkvYqEsZbDf+dHOQvEiD4ieqMcJXZ1yKRzkKZPXrB44I2ufdloH67WBgO0czAyqxqhfuSL1m1+ALqMufj2M5SyTbXOOdq62UscCjnlDBA6nmK4FXlTSCrIQwyy8+oleeQgX1cQILnxHUqaceGpXrtAjmXlU7fnDC8AWifR5bvz2SuPXCWm8epTka2uHTm8kSlOqQOXLrX5Zc9uRqVrtAM1ijCsA9D1Jau1Op4ZqVbhXyKTb4ROhjazSkCoaFrAobt54LgJ34RS0u3oNZdWhzYbfHfKgMljb0iGShtTf+xJq+qzvmJJJqv6OS9Wsrg=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: 90adb047-2099-48e1-3da6-08d6a271934f
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Mar 2019 20:23:20.4380 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR05MB6549
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-03-06_12:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1903060139
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/PaYIskGDCSr3yHU1xpt3nmeiQLM>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Mar 2019 20:23:30 -0000

Brian, Fred,

Thanks for these comments. The Security Considerations Section has been rewritten as follows:

" The OAM option can also be used in denial of service attacks. Network devices SHOULD protect themselves against such attacks by limiting the number of OAM options that they process per unit time. If the rate limit is exceeded, the network device MAY either discard the packet or continue to process the packet, ignoring the OAM option."

While the OAM option offers an alternative to the SRv6 OAM bit, its applicability is not restricted to SRv6. It is applicable in any IPv6 packet.

                                                                                                   Ron


> -----Original Message-----
> From: Brian E Carpenter <brian.e.carpenter@gmail.com>
> Sent: Friday, March 1, 2019 7:23 PM
> To: Fred Baker <fredbaker.ietf@gmail.com>; Ron Bonica
> <rbonica@juniper.net>
> Cc: IPv6 List <ipv6@ietf.org>
> Subject: Re: Segment Routing Drafts
> 
> On 02-Mar-19 11:25, Fred Baker wrote:
> >
> >
> >> On Feb 27, 2019, at 8:22 PM, Ron Bonica
> <rbonica=40juniper.net@dmarc.ietf.org> wrote:
> >> -
> >> https://urldefense.proofpoint.com/v2/url?u=https-3A__datatracker.ietf
> >> .org_doc_draft-2Dbonica-2D6man-
> 2Doam_&d=DwICaQ&c=HAkYuh63rsuhr6Scbfh0
> >> UjBXeMK-ndb3voDTXcWzoCI&r=Fch9FQ82sir-BoLx84hKuKwl-
> AWF2EfpHcAwrDThKP8
> >> &m=fA-
> M3FuAMPPT1Vz39C2CSoahbM305dnBjaZxsUnSkw8&s=UrTODtxAc6CDYfNq
> asws
> >> GetVveWmZuh3Iy5UCVRnOxc&e=
> >
> > I read this draft, and was immediately puzzled. The OAM option is useful if
> and only if it is implemented and configured, and (per the security
> considerations) is a reason the packet should not be permitted to enter aa
> subsequent network.
> 
> The text is confusing. It says:
> 
>    Network operators should block packets containing these extension
>    headers at their boundary.
> 
> I hope that that is meant to say:
> 
>    Network operators should block packets containing the OAM option
>    at their boundary.
> 
> Because clearly it is way out of scope for this draft to address firewall
> recommendations in general (which anyway are covered by draft-ietf-opsec-
> ipv6-eh-filtering, currently "Waiting_for_AD_Go-Ahead").
> 
> > As such, it is only useful on a small subset of the systems it encounters, and
> only in the originating network.
> >
> > Am I reading this correctly?
> 
> Well, if it is intended as part of the segment routing specs, that needs to be
> stated in the draft. If so, it presumably inherits the property of segment
> routing that it only works within a Segment Routing Domain
> (https://urldefense.proofpoint.com/v2/url?u=https-
> 3A__tools.ietf.org_html_rfc8402-23page-
> 2D6&d=DwICaQ&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-
> ndb3voDTXcWzoCI&r=Fch9FQ82sir-BoLx84hKuKwl-
> AWF2EfpHcAwrDThKP8&m=fA-
> M3FuAMPPT1Vz39C2CSoahbM305dnBjaZxsUnSkw8&s=Bg0e57opW73bkN5
> KGBqF0IB31ou5hvoNF9hvaf6HKSM&e=)
> and the OAM option would be blocked at the domain boundary.
> 
> Which is one of the motivations for draft-carpenter-limited-domains, of
> course.
> 
>     Brian

v2.23.0 | Report a Bug | By Email