Re: Comments on < draft-previdi-6man-segment-routing-header-07>
Bob Hinden <bob.hinden@gmail.com> Wed, 02 September 2015 11:32 UTC
Return-Path: <bob.hinden@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 544AB1A9153 for <ipv6@ietfa.amsl.com>; Wed, 2 Sep 2015 04:32:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jPjzXGedqIZk for <ipv6@ietfa.amsl.com>; Wed, 2 Sep 2015 04:32:16 -0700 (PDT)
Received: from mail-wi0-x22a.google.com (mail-wi0-x22a.google.com [IPv6:2a00:1450:400c:c05::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 27BAE1B2F3E for <ipv6@ietf.org>; Wed, 2 Sep 2015 04:32:15 -0700 (PDT)
Received: by wiclp12 with SMTP id lp12so15698953wic.1 for <ipv6@ietf.org>; Wed, 02 Sep 2015 04:32:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to; bh=8N6aJCrDI2CR2zT27MdG4n0VjRuwI+kEOzTXv7c8n74=; b=lKE/gGqhPFAHmCmHAFi+56oGqRcc2itHqywUBLjE2CnhadnCylTrB5EIhu5SO9F7j5 i9LgFWy6hObx7lNBE0j3+gniAKSNNjPhrvtUBehtimVJQSWvtxYNAgznIk4ByMgk6tR3 ucEO3Dl8SLJ30TEo8ugEg87fRSdmukllMcizSfaIBx06BmgGSRXU7lmxBvLLgLS9ZYQt AUCQpDL86siJDqxWVE64b0bYK6VwxDvACIHjKrjhF0kFK5t9bIitkyGKWXNgdI8OnJCx H9JBtaux1qgnpUZdbN/Fl11bhkio4K1qC+u2HfQG36q8c2rq4Km2TGiHot1tu8bTyOq7 wejw==
X-Received: by 10.181.11.134 with SMTP id ei6mr3556329wid.83.1441193533692; Wed, 02 Sep 2015 04:32:13 -0700 (PDT)
Received: from [172.24.248.45] (dyn32-131.checkpoint.com. [194.29.32.131]) by smtp.gmail.com with ESMTPSA id uo6sm31892922wjc.1.2015.09.02.04.32.11 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 02 Sep 2015 04:32:12 -0700 (PDT)
Subject: Re: Comments on < draft-previdi-6man-segment-routing-header-07>
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
Content-Type: multipart/signed; boundary="Apple-Mail=_DD3E0EAC-F44D-4AFA-AE29-19D6519C66CF"; protocol="application/pgp-signature"; micalg="pgp-sha512"
X-Pgp-Agent: GPGMail 2.5.1
From: Bob Hinden <bob.hinden@gmail.com>
In-Reply-To: <52B5ADC9-F473-40E8-AEA2-844F7B5F3948@cisco.com>
Date: Wed, 02 Sep 2015 14:32:06 +0300
Message-Id: <69BC9E1D-C39F-48F2-A2B5-EBFCE7F6C311@gmail.com>
References: <37367180-B86E-41D0-A798-772B46487AD8@gmail.com> <52B5ADC9-F473-40E8-AEA2-844F7B5F3948@cisco.com>
To: "Stefano Previdi (sprevidi)" <sprevidi@cisco.com>
X-Mailer: Apple Mail (2.2104)
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipv6/yQjn07Z0tBolvUHKcBnTyybY7Pw>
Cc: IPv6 List <ipv6@ietf.org>, Bob Hinden <bob.hinden@gmail.com>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Sep 2015 11:32:18 -0000
Stefano, > On Sep 1, 2015, at 12:55 PM, Stefano Previdi (sprevidi) <sprevidi@cisco.com> wrote: > > Hi Bob, > > thanks for your comments, see below... > > On Aug 1, 2015, at 10:01 PM, Bob Hinden <bob.hinden@gmail.com> wrote: >> Hi, >> >> A few comments on this draft, I think the w.g. should consider. Some are editorial, others more serious. >> >> The new draft now includes (as the w.g. requested) the security discussion (in Section 9) that was previously in a separate draft. I think that improves this document, however, there are still references in to separate draft, for example Section 6.2.1.1 “Security at Ingress” and many other places in the document. These need to be fixed. It would probably also be good to move the definition of the HMAC out of the Security Considerations section into the the main part of the draft. > > > I agree. The request of merging the two drafts has been fulfilled rapidly and some obvious editing work needs to be done in order to properly incorporate the security draft into the SRH one. We're working on this. Good. > > >> The basic security approach that resolves the issues raised with deprecated RH0 (RFC5095) is the inclusion an HMAC in the routing header. It covers the Source IP address, First Segment field, octet with clean-up flag, HMAC Key-ID, and all the addresses in the Segment list. That makes sense. It verified by the first SR ingress node. Clearly a better approach than the RH0. I note that the HMAC does not include the Flow ID even though the document says the HMAC value is unique per flow. >> >> The document includes in a number of places describes actions taken by an SDN controller. I don’t see any references in the document to how this works. One simple example, in Section 8, it says “Host A sends a request for a path to server X to the SDN controller or orchestration system”. There is not any detail on how the host communicates with the SDN controller, nor how the SDN controller communicates with the ingress nodes. I didn’t see anything in the document (or a reference to another document) how the host would know how to do this. > > > well, this is part of the SDN model and its northbound APIs. Clearly, is out of the scope of the SRH draft. My point is that is says that a host is supposed to do this, but there isn’t even a reference to what it should do. In other words, on one could not implement this from this draft. > > >> The HMAC is only verified at the ingress to the SR domain. It says it doesn’t have to be validated inside the SR domain. The resulting security model is what I would call “hard exterior, soft interior” or “egg shell” model. That is if a node inside of the “trusted” SR domain is compromised, all of the problems identified in RFC5095 are possible. It’s quite well known that this kind of security model is not very strong. > > > this is how most of the networks are operated today. All the security mechanisms are implemented at the edge and very little is replicated in the core so to keep the core as light as possible in its configuration. In this respect, SRH doesn't add/remove anything to the existing model. You are making a very broad statement, but IMHO it is broken. We should not be designing new mechanisms that have weak security. > > >> Creating routing headers with many 128bit IPv6 addresses other identifiers, and the HMAC, is going to cause path MTU problems. The SR header could get very large. I don’t see any mention of this issue in this draft about this. This is a serious oversight in my opinion. > > > Well, the mtu issue has been raised since the early days of tunneling so again here nothing new. Having said that, we can certainly add some text in order to illustrate how an operator can safely run encapsulation methods increasing packet size without breaking traffic flows (e.g. mpls). > > Now, I take the proposal of restricting the srh insertion at the source, which allows a transit router to do insertion through the addition of an outer ipv6 header. That would help, and if the issue was discussed in the draft. > > So, my proposal is to: > . restructure the content of the draft, focus on header format and operations > . describe the operational model: srh insertion/removal, definition of sr-domain I think RFC6554 "An IPv6 Routing Header for Source Routes with the Routing Protocol for Low-Power and Lossy Networks (RPL)” is a good model for how to do new SR headers. I suggest you take a look and rework your document to follow the way RFC6554 resolved the issues. Bob
- Comments on < draft-previdi-6man-segment-routing-… Bob Hinden
- Re: Comments on < draft-previdi-6man-segment-rout… Brian E Carpenter
- Re: Comments on < draft-previdi-6man-segment-rout… Mark Smith
- Re: Comments on < draft-previdi-6man-segment-rout… Stefano Previdi (sprevidi)
- Re: Comments on < draft-previdi-6man-segment-rout… Stefano Previdi (sprevidi)
- Re: Comments on < draft-previdi-6man-segment-rout… Fernando Gont
- Re: Comments on < draft-previdi-6man-segment-rout… Mark Smith
- RE: Comments on < draft-previdi-6man-segment-rout… Liushucheng (Will)
- Re: Comments on < draft-previdi-6man-segment-rout… Bob Hinden