IETF Logo Mail Archive

[spring] IPv6 DOH order facts and thoughts//RE: How CRH support SFC/Segment Endpoint option?

"Xiejingrong (Jingrong)" <xiejingrong@huawei.com> Mon, 25 May 2020 08:09 UTC

Return-Path: <xiejingrong@huawei.com>
X-Original-To: spring@ietfa.amsl.com
Delivered-To: spring@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED2543A0D0E; Mon, 25 May 2020 01:09:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jE0hXzFF7yjO; Mon, 25 May 2020 01:09:34 -0700 (PDT)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BD8F33A0D0D; Mon, 25 May 2020 01:09:33 -0700 (PDT)
Received: from lhreml701-chm.china.huawei.com (unknown [172.18.7.106]) by Forcepoint Email with ESMTP id E2371D5314B1C7837584; Mon, 25 May 2020 09:09:30 +0100 (IST)
Received: from nkgeml707-chm.china.huawei.com (10.98.57.157) by lhreml701-chm.china.huawei.com (10.201.108.50) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1913.5; Mon, 25 May 2020 09:09:29 +0100
Received: from nkgeml705-chm.china.huawei.com (10.98.57.154) by nkgeml707-chm.china.huawei.com (10.98.57.157) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1913.5; Mon, 25 May 2020 16:09:27 +0800
Received: from nkgeml705-chm.china.huawei.com ([10.98.57.154]) by nkgeml705-chm.china.huawei.com ([10.98.57.154]) with mapi id 15.01.1913.007; Mon, 25 May 2020 16:09:27 +0800
From: "Xiejingrong (Jingrong)" <xiejingrong@huawei.com>
To: Robert Raszuk <robert@raszuk.net>, Tom Herbert <tom@herbertland.com>
CC: Ron Bonica <rbonica=40juniper.net@dmarc.ietf.org>, "spring@ietf.org" <spring@ietf.org>, 6man <6man@ietf.org>
Thread-Topic: IPv6 DOH order facts and thoughts//RE: [spring] How CRH support SFC/Segment Endpoint option?
Thread-Index: AdYya7WYb60+Z4BmRIqt5efdTblOFQ==
Date: Mon, 25 May 2020 08:09:27 +0000
Message-ID: <f9b1f914e2014c05bce57a55e5f42a9f@huawei.com>
Accept-Language: en-US, zh-CN
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.108.202.118]
Content-Type: multipart/alternative; boundary="_000_f9b1f914e2014c05bce57a55e5f42a9fhuaweicom_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/spring/7V8OrZ9ll3nIw6ntSESSCFN9aLQ>
Subject: [spring] IPv6 DOH order facts and thoughts//RE: How CRH support SFC/Segment Endpoint option?
X-BeenThere: spring@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Source Packet Routing in NetworkinG \(SPRING\)" <spring.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spring>, <mailto:spring-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spring/>
List-Post: <mailto:spring@ietf.org>
List-Help: <mailto:spring-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spring>, <mailto:spring-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 May 2020 08:09:37 -0000

Hi !
Let me jump to this topic, and tell a fact first:  Most design examples of DOH in RFCs so far do NOT follow the “recommended order” of RFC1883/2460/8200.

EXAMPLE1: RFC3775/3776/4584/6275 requires DOH carrying a specific option is located after RH and before Fragmentation/AH/ESP (copied from RFC6275) ---- This does NOT follow the “recommended” order of 8200.
The Home Address option is carried by the Destination Option extension header (Next Header value = 60).
The Home Address option MUST be placed as follows:
   o  After the routing header, if that header is present
   o  Before the Fragment Header, if that header is present

EXAMPLE2: 7837 requires DOH before Frag/AH/ESP! ---- This does NOT follow the “recommended” order of 8200.
   The CDO SHOULD be placed as the first option in the Destination
   Option header before the AH [RFC4302] and/or Encapsulating Security
   Payload (ESP) [RFC4303] (if present).

Text about “EH order” from RFC8200:
   When more than one extension header is used in the same packet, it is
   recommended that those headers appear in the following order:

   If and when other extension headers are defined, their ordering
   constraints relative to the above listed headers must be specified.

   IPv6 nodes must accept and attempt to process extension headers in
   any order and occurring any number of times in the same packet,
   except for the Hop-by-Hop Options header, which is restricted to
   appear immediately after an IPv6 header only.  Nonetheless, it is
   strongly advised that sources of IPv6 packets adhere to the above
   recommended order until and unless subsequent specifications revise
   that recommendation.

There are some words for the 8200 recommended order:  “recommended”, “strongly advised …. Adhere to the above recommended order”
There are some other words for the other side: “their ordering constraints …. must be specified”, “IPv6 nodes must accept and attempt to process extension headers in any order”.

My reading of this text (inheritance of RFC1883/2460):

(1)     It is the responsibility of those who want to design solution based on IPv6 EH to define the order of IPv6 EH, and to tell why the “ordering constraints” of the proposal is.

(2)     The “recommended order” of RFC8200 does not make a proposal superior than others IMO.


Additional comments to  “DOH will be examined at each segment endpoint hop if DOH is present.”:
I agree and I’d like to add an additional note IMO to this:
The DOH could be used alone (without a following RH) to be processed by a “segment endpoint”, as long as the DA of a packet is the IPv6 address of the “segment endpoint” node!
The BIERv6 design is a case of this, use DOH alone (without a following RH) in common case, and requires DOH carrying a BIER option is located after RH if present and before Fragmentation/AH/ESP if present.
https://tools.ietf.org/html/draft-xie-bier-ipv6-encapsulation-06
Again please feel welcome to take this into discussion and consideration!


Thanks
Jingrong


From: ipv6 [mailto:ipv6-bounces@ietf.org] On Behalf Of Robert Raszuk
Sent: Monday, May 25, 2020 5:33 AM
To: Tom Herbert <tom@herbertland.com>
Cc: Ron Bonica <rbonica=40juniper.net@dmarc.ietf.org>; spring@ietf.org; 6man <6man@ietf.org>
Subject: Re: [spring] How CRH support SFC/Segment Endpoint option?

Hi Tom,

Thank you !

That confirms my understanding ie that DOH will be examined at each segment endpoint hop if DOH is present.

So just like PSSI or TPF suggest a build in filtering (for example by target ID) is required to avoid misuse.

Kind regards,
Robert.


Robert,

Look at Destination Options before the routing header in RFC8200.
These are intended to be processed at every intermediate destination
in the routing header and precede any fragment header.

Tom

v2.23.0 | Report a Bug | By Email