RE: I-D Action: draft-bonica-6man-ext-hdr-update-01.txt

"Chengli (Cheng Li)" <chengli13@huawei.com> Tue, 10 March 2020 14:17 UTC

Return-Path: <chengli13@huawei.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1DDA13A13E2 for <ipv6@ietfa.amsl.com>; Tue, 10 Mar 2020 07:17:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VF_IBuoNJvZT for <ipv6@ietfa.amsl.com>; Tue, 10 Mar 2020 07:17:30 -0700 (PDT)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA17E3A1439 for <ipv6@ietf.org>; Tue, 10 Mar 2020 07:17:28 -0700 (PDT)
Received: from LHREML710-CAH.china.huawei.com (unknown [172.18.7.106]) by Forcepoint Email with ESMTP id E126BB6CE5294B44E86B; Tue, 10 Mar 2020 14:17:25 +0000 (GMT)
Received: from lhreml737-chm.china.huawei.com (10.201.108.187) by LHREML710-CAH.china.huawei.com (10.201.108.33) with Microsoft SMTP Server (TLS) id 14.3.408.0; Tue, 10 Mar 2020 14:17:25 +0000
Received: from lhreml737-chm.china.huawei.com (10.201.108.187) by lhreml737-chm.china.huawei.com (10.201.108.187) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5; Tue, 10 Mar 2020 14:17:25 +0000
Received: from DGGEML402-HUB.china.huawei.com (10.3.17.38) by lhreml737-chm.china.huawei.com (10.201.108.187) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.1.1713.5 via Frontend Transport; Tue, 10 Mar 2020 14:17:25 +0000
Received: from DGGEML529-MBX.china.huawei.com ([169.254.6.178]) by DGGEML402-HUB.china.huawei.com ([fe80::fca6:7568:4ee3:c776%31]) with mapi id 14.03.0439.000; Tue, 10 Mar 2020 22:17:22 +0800
From: "Chengli (Cheng Li)" <chengli13@huawei.com>
To: Ron Bonica <rbonica=40juniper.net@dmarc.ietf.org>, Brian E Carpenter <brian.e.carpenter@gmail.com>, 6man <ipv6@ietf.org>
Subject: RE: I-D Action: draft-bonica-6man-ext-hdr-update-01.txt
Thread-Topic: I-D Action: draft-bonica-6man-ext-hdr-update-01.txt
Thread-Index: AQHV9cnbDALsg07aCEe4uUEfssSHF6g/7GAAgAHtDIA=
Date: Tue, 10 Mar 2020 14:17:21 +0000
Message-ID: <C7C2E1C43D652C4E9E49FE7517C236CB02961B61@dggeml529-mbx.china.huawei.com>
References: <158354206076.2347.5217574891432588007@ietfa.amsl.com> <a7ba91a9-bd80-c657-aed6-d14f57e91c68@gmail.com> =?utf-8?q?=3CDM6PR05MB6348?= =?utf-8?q?498594DCE0BB96C81243AEFE0=40DM6PR05MB6348=2Enamprd05=2Eprod=2Eout?= =?utf-8?q?look=2Ecom=3E?=
In-Reply-To: =?utf-8?q?=3CDM6PR05MB6348498594DCE0BB96C81243AEFE0=40DM6PR05MB?= =?utf-8?q?6348=2Enamprd05=2Eprod=2Eoutlook=2Ecom=3E?=
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.108.203.229]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/zp1pSClNPPo3lL3UMxaDCo7Svec>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Mar 2020 14:17:40 -0000

Hi Ron and Brian,

Thanks for your considerations of https://tools.ietf.org/html/draft-lc-6man-generalized-srh-00.

I agree with Ron that the data after the first four fields is the Type Specific data, and this is described in https://tools.ietf.org/html/rfc8200#section-4.4 as well. We also consider this in G-SRH design.

Agree with Brian about the word "process", should make it clearer. Does process equal to read & process? Or read & process & modify/write?

Best,
Cheng


-----Original Message-----
From: ipv6 [mailto:ipv6-bounces@ietf.org] On Behalf Of Ron Bonica
Sent: Tuesday, March 10, 2020 12:23 AM
To: Brian E Carpenter <brian.e.carpenter@gmail.com>om>; 6man <ipv6@ietf.org>
Subject: RE: I-D Action: draft-bonica-6man-ext-hdr-update-01.txt

Hi Brian,

As always, thanks for the thoughtful review. I will post a new version in the next few hours addressing your comments. Until then, responses inline......

                                                                                           Ron


Juniper Business Use Only

-----Original Message-----
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Sent: Monday, March 9, 2020 12:18 AM
To: 6man <ipv6@ietf.org>rg>; Ron Bonica <rbonica@juniper.net>
Subject: Re: I-D Action: draft-bonica-6man-ext-hdr-update-01.txt

Hi,

I'm going to nit-pick the crucial text in the draft, without taking a position on whether it should go forward. I think it's essential to get the text right before we take any sort of decision.

> 2.  Terminology
> 
>    The following terms are used in this document:
> 
>    o  Source node - An IPv6 source node accepts data from an upper-layer
>       protocol, encapsulates it in an IPv6 header, and sends the
>       resulting IPv6 packet to a destination node.

Actually it doesn't encapsulate, it simply prepends the IPv6 header.

[RB] Agree. Fixed in the new version.
 
>    o  Destination node - An IPv6 destination node receives an IPv6
>       packet and delivers its payload to an upper-layer protocol.

If that's what we now mean by "Destination node", we probably need to add a note that the Destination address might not be the address of the Destination node (as stated at https://urldefense.com/v3/__https://tools.ietf.org/html/rfc8200*page-7__;Iw!!NEt6yMaO-gk!Vg0zJoh5Uh0jsqku3JSdZwszU62b-vzjA6Wr8R8o6JrbszFQY-qsZTh5RyS2SWT2$ ).

[RB] Agree. Fixed in the new version.

> 
>    o  Delivery path - A packet's delivery path is a series of nodes that
>       a packet traverses on route to its destination.  The delivery path
>       includes the destination node.
> 
>    o  Segment - A segment is a series of links and nodes in a packet's
>       delivery path.  The IPv6 Routing header steers packets from
>       segment to segment along the delivery path.  If a packet contains
>       a Routing header, its delivery path can contain multiple segments.
>       If a packet does not contain a Routing header, its delivery path
>       contains only one segment.

Are we sure that statement applies to all past, present and future types of routing header? If so, it should be "An IPv6 Routing header steers...".

[RB] This statement applies for all currently defined types. It's harder to predict the future. But I am hoping that the future is informed by the following text from Section 4.4 of RFC 8200:

" The Routing header is used by an IPv6 source to list one or more
   intermediate nodes to be "visited" on the way to a packet's
   destination.  This function is very similar to IPv4's Loose Source
   and Record Route option."
 
>    o  Segment egress node - A segment egress node terminates a segment.
>       When a packet arrives at a segment egress node, its IPv6
>       Destination Address identifies a resource that belongs to the
>       node.  All destination nodes are also segment egress nodes.

That's a significant change. According to RFC 4291, an IPv6 address is assigned to an interface; nothing to do with "resources". If you want an IPv6 address to identify a resource rather than act as a locator, that's an update to 4291, IMHO.

[RB] Agree. Fixed in the next version. s/resource/interface

> 3.  Updates To RFC 8200
....> 3.2.  Updated Text
> 
>    Source nodes can send packets that include extension headers.
>    Extension headers are not inserted by subsequent nodes along a
>    packet's delivery path.
> 
>    The Hop-by-Hop Options header can be processed by any node in a
>    packet's delivery path.

I have long been disturbed by the word "process". Any node can read the value of any extension header (unless encrypted). Firewalls do it and might drop packets as a result. So "process" can't mean "read".
Maybe it means "modify"? But of course options can only be modified in specified ways (and cannot be changed in length).

[RB] Agree. I think that it is fixed in the next version.

[RB] We need to make a distinction between examination and processing. So, I have added a rule that says, "Extension headers can be examined for various purposes (e.g., Firewall filtering) by any node along a packet's delivery path.

>    ... The following headers can be processed by
>    any segment egress node, including the destination node:
> 
>    o  Destination Options header.

Same comment.

> 
>    o  Routing header.

Same comment, but it should add that the spec of any type of routing header must specify precisely what modifications are allowed, and the length of the header must not increase.

[RB] Agree. Fixed in new version.
 
>    The following headers can be processed by the destination node only:
> 
>    o  The Fragment header.
> 
>    o  The Authentication header.
> 
>    o  The Encapsulating Security Payload header.

Do we really need to say that? Once the packet enters the destination node there's no issue.

[RB] Maybe not, but does it hurt to mention it?
 
>    Except for the following fields, extension headers are not modified
>    by nodes along a packet's delivery path:

See, "processed" only means anything if something is modified.

[RB] I'm not sure that I agree. Consider a Destination Options header that precedes the Routing header. It contains an option whose chg-bit is 0. It can be processed by any segment endpoint, but modified by none.

>    o  The Segments Left field in the Routing header.
> 
>    o  Type-specific data in the Routing header.

Are we sure that is enough for all future routing header types? (Actually, there's already a spec for which that rule is probably insufficient:
draft-lc-6man-generalized-srh, which adds a "C-SID left" field to the routing header.)

[RB] I think so. In a Routing header, everything that is not one of the first four fields is Type Specific data.
 
>    o  Option Data in the Destination Options header.
> 
>    Extension headers are not deleted by any node along a packet's
>    delivery path, until the packet reaches the destination node (or each
>    of the set of destination nodes, in the case of multicast).

Again, once the packet is inside the destination node, there's nothing to say.

[RB] We need to say something. If we don't people will assume that extension headers can be deleted by any node along a packets delivery path.

Finally, do we need some comment about AH? Should we require specs to state either that they are incompatible with AH, or to state exactly which fields are mutable for AH purposes?

[RB] Maybe, but I am not sure where that belongs in RFC 8200. Maybe Bob can advise.

                                             Ron


Regards
   Brian Carpenter

On 07-Mar-20 13:47, internet-drafts@ietf.org wrote:
> 
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> 
> 
>         Title           : Inserting, Processing And Deleting IPv6 Extension Headers
>         Author          : Ron Bonica
> 	Filename        : draft-bonica-6man-ext-hdr-update-01.txt
> 	Pages           : 5
> 	Date            : 2020-03-06
> 
> Abstract:
>    This document provides guidance regarding the processing, insertion
>    and deletion of IPv6 extension headers.  It updates RFC 8200.
> 
> 
> The IETF datatracker status page for this draft is:
> https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-bon
> ica-6man-ext-hdr-update/__;!!NEt6yMaO-gk!Vg0zJoh5Uh0jsqku3JSdZwszU62b-
> vzjA6Wr8R8o6JrbszFQY-qsZTh5RyDiuiux$
> 
> There are also htmlized versions available at:
> https://urldefense.com/v3/__https://tools.ietf.org/html/draft-bonica-6
> man-ext-hdr-update-01__;!!NEt6yMaO-gk!Vg0zJoh5Uh0jsqku3JSdZwszU62b-vzj
> A6Wr8R8o6JrbszFQY-qsZTh5R_RaW2Oy$
> https://urldefense.com/v3/__https://datatracker.ietf.org/doc/html/draf
> t-bonica-6man-ext-hdr-update-01__;!!NEt6yMaO-gk!Vg0zJoh5Uh0jsqku3JSdZw
> szU62b-vzjA6Wr8R8o6JrbszFQY-qsZTh5R3LzW5-y$
> 
> A diff from the previous version is available at:
> https://urldefense.com/v3/__https://www.ietf.org/rfcdiff?url2=draft-bo
> nica-6man-ext-hdr-update-01__;!!NEt6yMaO-gk!Vg0zJoh5Uh0jsqku3JSdZwszU6
> 2b-vzjA6Wr8R8o6JrbszFQY-qsZTh5R2CiHZik$
> 
> 
> Please note that it may take a couple of minutes from the time of 
> submission until the htmlized version and diff are available at tools.ietf.org.
> 
> Internet-Drafts are also available by anonymous FTP at:
> https://urldefense.com/v3/__ftp://ftp.ietf.org/internet-drafts/__;!!NE
> t6yMaO-gk!Vg0zJoh5Uh0jsqku3JSdZwszU62b-vzjA6Wr8R8o6JrbszFQY-qsZTh5R5vo
> WQxF$
> 
> 
> _______________________________________________
> I-D-Announce mailing list
> I-D-Announce@ietf.org
> https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/i-d-
> announce__;!!NEt6yMaO-gk!Vg0zJoh5Uh0jsqku3JSdZwszU62b-vzjA6Wr8R8o6Jrbs
> zFQY-qsZTh5Ry1oSTA3$ Internet-Draft directories: 
> https://urldefense.com/v3/__http://www.ietf.org/shadow.html__;!!NEt6yM
> aO-gk!Vg0zJoh5Uh0jsqku3JSdZwszU62b-vzjA6Wr8R8o6JrbszFQY-qsZTh5R3BOnf0P
> $ or
> https://urldefense.com/v3/__ftp://ftp.ietf.org/ietf/1shadow-sites.txt_
> _;!!NEt6yMaO-gk!Vg0zJoh5Uh0jsqku3JSdZwszU62b-vzjA6Wr8R8o6JrbszFQY-qsZT
> h5R942qJSv$
> 
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------