Re: [Roll] Erik Kline's Discuss on draft-ietf-roll-useofrplinfo-42: (with DISCUSS and COMMENT)
Ines Robles <mariainesrobles@googlemail.com> Fri, 15 January 2021 17:30 UTC
Return-Path: <mariainesrobles@googlemail.com>
X-Original-To: roll@ietfa.amsl.com
Delivered-To: roll@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F14A63A0EA8 for <roll@ietfa.amsl.com>; Fri, 15 Jan 2021 09:30:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=googlemail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GNkMIve6jbmO for <roll@ietfa.amsl.com>; Fri, 15 Jan 2021 09:30:32 -0800 (PST)
Received: from mail-vk1-xa2f.google.com (mail-vk1-xa2f.google.com [IPv6:2607:f8b0:4864:20::a2f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 73F9D3A0E8D for <roll@ietf.org>; Fri, 15 Jan 2021 09:30:32 -0800 (PST)
Received: by mail-vk1-xa2f.google.com with SMTP id k9so2365415vke.4 for <roll@ietf.org>; Fri, 15 Jan 2021 09:30:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=FVohn9f/lHpBYDlah/Pxz27pvw0AcZeWr6chgQejvtY=; b=piMUGS4ZLl6gXYBHYG5F9KtubL5fzTzIEuHMY7zaSZxAV8HgdI0P1hW5Epk9fdi27H CpbZ3Wyd3s+j0ONNPcCYXlymI4i5i6TTOV/aIbd+eQxBxFa1/VbiBq/O5r6eG9k177I6 nL1ueNzAqtV1GVRivxW3Dcy5A/WIa58RWWiJW+n4DiENpuhe4Y162Pw4+vJ+JcxaJudO NZoFpeu386hTMv6AKzkOwg95R31z5WQjUBhKMvVwUt9wsiYOzdd79ZpCnhQ4VBN8UxWp 5DVwo4g6w/SLK6nER+tCnLC5IlNic67GA8vuB6s+z9vv6zASfgPz//E4gkHG8UXFZg9E 3N6g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=FVohn9f/lHpBYDlah/Pxz27pvw0AcZeWr6chgQejvtY=; b=pr+/rohUv5xNl6/W8uzg9PtNRIxH0sXFczXXJDV8kcDXzVEBOOMMTIk2QO4zNARXhm 0YsvVZ/vOB9RDTEzLaIka9sW6Aeivw3Eqt28ckTWwrHQONxowO0ikoNKAxixqhOfj5Ds 8iF6vmMzI6uOzF0MtIH+bsOjZFHoig3PshIBHvHCx4Pk/wJqHr/c5ZL6tbOWrx04Ekkp WprDNlVBCIw8qbv7OeN2LIxEleaHbUNEHqiAkAVY41almoRkxzCuZ2h2AjixJpsBVYZU nbb9gJPef35U3GvLMMmeUuqhI2y7MVLLDkAeeQdraqqtSHb/vAXBFd8vf3OIWlInS0im SIIw==
X-Gm-Message-State: AOAM532IwBNUkKb1IHta1O/dhuS8BMIbilp+2gCJJPpQ1x8zUuaCsfoK tmpi+E9gYT/UohR3jbhsCyLse2FmW1bnZ8f2Rws=
X-Google-Smtp-Source: ABdhPJwFIrIfR9omUFs5vlM+85H98yGRXiskPHTrnxXVoEuqq9QNhQnrvmsI8AGNqGmq9mmcG8XFHdGy0GYxtxW8ZIg=
X-Received: by 2002:a1f:aa4b:: with SMTP id t72mr11297601vke.4.1610731831228; Fri, 15 Jan 2021 09:30:31 -0800 (PST)
MIME-Version: 1.0
References: <160809761379.22994.11202105892505044046@ietfa.amsl.com> <9337.1608141694@localhost> <CO1PR11MB48810AEB66C20453BB60C6EED8C30@CO1PR11MB4881.namprd11.prod.outlook.com> <CAP+sJUdiqg9toNVLfRYz0J4417GB+kdyyzUBWBOWiqSWHsThOQ@mail.gmail.com>
In-Reply-To: <CAP+sJUdiqg9toNVLfRYz0J4417GB+kdyyzUBWBOWiqSWHsThOQ@mail.gmail.com>
From: Ines Robles <mariainesrobles@googlemail.com>
Date: Fri, 15 Jan 2021 19:29:55 +0200
Message-ID: <CAP+sJUc6iy9m87C7FQ-mbOhY1Bm_=7MqQ2F020MAWB7E=aBB1Q@mail.gmail.com>
To: Erik Kline <ek.ietf@gmail.com>
Cc: "Pascal Thubert (pthubert)" <pthubert=40cisco.com@dmarc.ietf.org>, roll <roll@ietf.org>, Michael Richardson <mcr+ietf@sandelman.ca>
Content-Type: multipart/alternative; boundary="000000000000a0fb1605b8f3ba08"
Archived-At: <https://mailarchive.ietf.org/arch/msg/roll/G4oSw9M9nsg4xJaKhBz0o1PRHoU>
Subject: Re: [Roll] Erik Kline's Discuss on draft-ietf-roll-useofrplinfo-42: (with DISCUSS and COMMENT)
X-BeenThere: roll@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Routing Over Low power and Lossy networks <roll.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/roll>, <mailto:roll-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/roll/>
List-Post: <mailto:roll@ietf.org>
List-Help: <mailto:roll-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/roll>, <mailto:roll-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Jan 2021 17:30:36 -0000
Dear Erik, version 44 recently published [ https://tools.ietf.org/rfcdiff?url2=draft-ietf-roll-useofrplinfo-44.txt] 1- Extends the definition of Flag Day: Flag Day: A Flag Day is caused when a network is reconfigured in a way that nodes running the older configuration can not communicate with nodes running the new configuration. For instance, when the ARPANET changed from IP version 3 to IP version 4 on January 1, 1983 ([RFC0801]). In the context of this document, a switch from RPI Option Type (0x63) and Option Type (0x23) presents as a disruptive changeover. In order to reduce the amount of time for such a changeover, Section 4.1.3 provides a mechanism to allow nodes to be incrementally upgraded. 2- Clarifies in Security Considerations the RH3 header usage "The RH3 header usage described here can be abused in equivalent ways. An external attacker may form a packet with an RH3 that is not fully consumed and encapsulate it to hide the RH3 from intermediate nodes and disguise the origin of traffic. As such, the attacker's RH3 header will not be seen by the network until it reaches the destination, which will decapsulate it. As indicated in section 4.2 of [RFC6554] <https://tools.ietf.org/html/rfc6554#section-4.2>, RPL routers are responsible for ensuring that an SRH is only used between RPL routers. As such, if there is an RH3 that is not fully consumed in the encapsulated packet, the node that decapsulates it MUST ensure that the outer packet was originated in the RPL domain and drop the packet otherwise. Also, as indicated by section 2 of [RFC6554] <https://tools.ietf.org/html/rfc6554#section-2>, RPL Border Routers "do not allow datagrams carrying an SRH header to enter or exit a RPL routing domain". This sentence must be understood as concerning non- fully-consumed packets. A consumed (inert) RH3 header could be present in a packet that flows from one LLN, crosses the Internet, and enters another LLN. As per the discussion in this document, such headers do not need to be removed. However, there is no case described in this document where an RH3 is inserted in a non-storing network on traffic that is leaving the LLN, but this document should not preclude such a future innovation. In short, a packet that crosses the border of the RPL domain MAY carry and RH3, and if so, that RH3 MUST be fully consumed." Please let us know if this address your concern. Thank you very much in advance, Ines, Pascal and Michael. On Sun, Jan 10, 2021 at 9:11 PM Ines Robles <mariainesrobles@googlemail.com> wrote: > Dear Erik, > > Thank you very much for your comments and suggestions, in version 43 > (diff) [Diff: > https://www.ietf.org/rfcdiff?url2=draft-ietf-roll-useofrplinfo-43] we > added a definition of consumed RH: > > New text: > Consumed: A Routing Header is consumed when the Segments Left field > is zero, which indicates that the destination in the IPv6 header is > the final destination of the packet and that the hops in the Routing > Header have been traversed. > > Please let us know if this addresses your concern. > > Thank you again, > > Ines, Michael and Pascal. > > On Fri, Dec 18, 2020 at 5:42 PM Pascal Thubert (pthubert) <pthubert= > 40cisco.com@dmarc.ietf.org> wrote: > >> Hello Michael and all: >> >> > -----Original Message----- >> > From: Roll <roll-bounces@ietf.org> On Behalf Of Michael Richardson >> > Sent: mercredi 16 décembre 2020 19:02 >> > To: Erik Kline <ek.ietf@gmail.com>; Routing Over Low power and Lossy >> > networks <roll@ietf.org> >> > Subject: Re: [Roll] Erik Kline's Discuss on >> draft-ietf-roll-useofrplinfo-42: (with >> > DISCUSS and COMMENT) >> > >> > >> > Erik Kline via Datatracker <noreply@ietf.org> wrote: >> > > I might recommend instead referring to RFC 6554 S4.2 for how to >> > > handle RH3's if the node is also a RPL-aware router and say it >> MUST >> > > drop the packet if segments left is non-zero and it's not a >> RPL-aware >> > > router. >> > >> > > Related: I'd also recommend: >> > >> > > "It should just be noted that an incoming RH3 must be fully >> consumed, >> > > or very carefully inspected." >> > >> > -> >> > >> > > "It should just be noted that an incoming RH3 MUST be fully >> > > consumed." >> > >> > I think that Pascal and I, when we write the "carefully inspected", is >> that we >> > are imagining situations where the topology is a bit subtle. >> >> Yes, I expected policies that would validate the right of a Leaf to >> participate to a DODAG ,or to remap the information from the leaf (could be >> the RPI, the opaque field in the EARO, or the 6-tuple) into an RPI. >> >> > Perhaps there are firewalls involved. >> > Perhaps a device has multiple interfaces (many radios for instance) and >> the >> > extra segments address the other interfaces. >> > >> > Also draft-ietf-anima-autonomic-control-plane uses storing mode, so >> never >> > has >> > RH3 headers, but imagine if it did. >> > >> > One could have a situation where the physical system containing one or >> more >> > layers of container was not the ultimate last hop from a logical point >> of view. >> > Rather than inner container was. So, it's all the same stack >> actually. In that >> > case, an optimization might be to process more than one segment in that >> > stack. >> > (The ANIMA ACP definitely supports having VMs and containers inside >> > routers) >> > >> > So, I can live with your suggestion, because in my case above, we can >> argue >> > that it's still "consumed" >> > >> > > * I'm confused by the use of "consumed" here. Is the final RH3 >> entry >> > > RUL's address? I guess you could say RH penultimate hop >> "consumes" the >> > > header because the ultimate destination address is put in the >> header DA >> > > field. Seems a bit odd though. >> > >> > Yes, that's what we mean. >> >> Yes, as I said in my response I thought it was quite common. I'm >> surprised to find little art to quote. >> >> > Once that ultimate destination is in the DA, then the RH3 is a dummy, >> but one >> > we are aren't supposed to remove. >> > >> > > I assume 6LR_n gets RUL's address from the last segment in RH3. >> > >> > > "Consumed" means segments left == 0, I guess? I suppose should >> have >> > > picked up on this terminology when it was first used in Section 2. >> > > Maybe clarify what it means in that section (2)? >> > >> > Yes. >> >> >> Cool, we're good! >> >> Pascal >> _______________________________________________ >> Roll mailing list >> Roll@ietf.org >> https://www.ietf.org/mailman/listinfo/roll >> >
- [Roll] Erik Kline's Discuss on draft-ietf-roll-us… Erik Kline via Datatracker
- Re: [Roll] Erik Kline's Discuss on draft-ietf-rol… Pascal Thubert (pthubert)
- Re: [Roll] Erik Kline's Discuss on draft-ietf-rol… Michael Richardson
- Re: [Roll] Erik Kline's Discuss on draft-ietf-rol… Erik Kline
- Re: [Roll] Erik Kline's Discuss on draft-ietf-rol… Michael Richardson
- Re: [Roll] Erik Kline's Discuss on draft-ietf-rol… Pascal Thubert (pthubert)
- Re: [Roll] Erik Kline's Discuss on draft-ietf-rol… Alvaro Retana
- Re: [Roll] Erik Kline's Discuss on draft-ietf-rol… Ines Robles
- Re: [Roll] Erik Kline's Discuss on draft-ietf-rol… Pascal Thubert (pthubert)
- Re: [Roll] Erik Kline's Discuss on draft-ietf-rol… Ines Robles
- Re: [Roll] Erik Kline's Discuss on draft-ietf-rol… Ines Robles