Re: [spring] 6MAN WGLC: draft-ietf-6man-sids

Suresh Krishnan <suresh.krishnan@gmail.com> Sat, 08 October 2022 01:16 UTC

Return-Path: <suresh.krishnan@gmail.com>
X-Original-To: spring@ietfa.amsl.com
Delivered-To: spring@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7FDD0C1524D7; Fri, 7 Oct 2022 18:16:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GJSTLnrSx0rY; Fri, 7 Oct 2022 18:16:49 -0700 (PDT)
Received: from mail-qt1-x82c.google.com (mail-qt1-x82c.google.com [IPv6:2607:f8b0:4864:20::82c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B8E8CC1524D4; Fri, 7 Oct 2022 18:16:49 -0700 (PDT)
Received: by mail-qt1-x82c.google.com with SMTP id e3so3005431qts.1; Fri, 07 Oct 2022 18:16:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date:message-id:reply-to; bh=xy0LkR97BOezkfwIyqNhAl7ZkZV11JUWQ0dASVheGeY=; b=PfkWXl2Gc4aJbxfEFc5jLlVFmapS1ZZQbTkhVY9zfyVjpqFV4k10oTOugxPaj7FHdz DPbgIlWDy+FYgqJW4CQGKisA536AXB3o8o8p2t8q8PAtHb71ZrCTmYoEhmrIhQhtFTzA L3vh17RGrgu4Uu98pMJrk3LecAmIys6pNc8kB3g9AdHWWeECwj5r+HyjBFZeDHTsNC6Q o6Ud7X7dLIyU7AmI7yFGB+QP8q6GLUNrlhgr0qlopLQMRk3397AbbFdob8/4EUgh7MoN JSDhoP2bDSGOWc1B+hD4CCTNdrQWL1vr2xCdkT85/IGiq/1Rwcifr6/BrJPzmYDlLXos d0Fw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=xy0LkR97BOezkfwIyqNhAl7ZkZV11JUWQ0dASVheGeY=; b=cOskwhKr2c5mHj1Sqj869NNZ8QFNKOrLKZ2REm3qXMdHqQ98gD7pcwBi92hHqdnypS Sc1UZ2vrEYYU6kxwPyO9TLxDO/0DGsmFcFw1k7+GXm3PA5bi20B2pDL9KeWgEsEPRb38 1c5ckCAPjgDg0czixgW2d+jlknfte/lcK16fsJH69QN+eAecwy302z2yguTWCOIGaTeC wB7xnogEqBxCW/gkMUjLn8o6lX6iDdbLC9KDnyPv8x4zLa8pM0Hm82QTA77wUNrnVmLv Wojd7RyTaKYZQB7hpZodfAzPmt2R5f8HZMcUxas1onKKU9Tl5P6X8wZtqM4gdNf3VPYQ 9wPg==
X-Gm-Message-State: ACrzQf3fnYs5fGV3r1yUILlGezT1r5IK+DdioTzEqgJF8PZboE79Ccv1 HdHbBS/73JaAYBqsXLeVYAUyYqYf3hw=
X-Google-Smtp-Source: AMsMyM5loojXZcc5UT6lo61YBOWikStuR2zK5IiaQEPgZs0tW5dECTLjN7wMUG+QWwuKi2JW+mov9w==
X-Received: by 2002:a05:622a:4d2:b0:388:d94f:9a13 with SMTP id q18-20020a05622a04d200b00388d94f9a13mr6544889qtx.282.1665191808825; Fri, 07 Oct 2022 18:16:48 -0700 (PDT)
Received: from smtpclient.apple (45-19-110-76.lightspeed.tukrga.sbcglobal.net. [45.19.110.76]) by smtp.gmail.com with ESMTPSA id u10-20020a05620a430a00b006e702033b15sm3448887qko.66.2022.10.07.18.16.47 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 07 Oct 2022 18:16:47 -0700 (PDT)
From: Suresh Krishnan <suresh.krishnan@gmail.com>
Message-Id: <4DC495DF-AD6B-4D60-80C4-B836DD365A0C@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_68F86CCD-3C90-496F-AEA6-B83D7ECBB02E"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.80.0.2.43\))
Date: Fri, 07 Oct 2022 21:16:47 -0400
In-Reply-To: <98a941e4-0fff-ced1-d4ca-4406368eac31@joelhalpern.com>
Cc: 6man <ipv6@ietf.org>, SPRING WG List <spring@ietf.org>
To: Joel Halpern <jmh@joelhalpern.com>
References: <CAFU7BARixwPZTrNQOuEw3WP-FqUsVwTj7btMTahcMbXm_NqWGw@mail.gmail.com> <CAB75xn4+N31=ggO03AAQJANv7RgHaC1eNGXRUQ9B20rLK+nJyg@mail.gmail.com> <E77D8982-11E9-45F9-81BF-3CA1E1F6B745@gmail.com> <CAB75xn4Zme4KOjPuY1_-4jCKTk1jshbq8X645zXhYQLiKB+N9g@mail.gmail.com> <54A38015-95AD-41F0-8E9D-76B3E62AA55B@gmail.com> <bdd7bf12-f712-3fe5-2698-9272c16ddded@joelhalpern.com> <58E77509-A1A1-4CE8-9EE4-22BEEEA8B62E@gmail.com> <98a941e4-0fff-ced1-d4ca-4406368eac31@joelhalpern.com>
X-Mailer: Apple Mail (2.3654.80.0.2.43)
Archived-At: <https://mailarchive.ietf.org/arch/msg/spring/8IUZHKrEdyA9LlX36Fl2NBjH1r0>
Subject: Re: [spring] 6MAN WGLC: draft-ietf-6man-sids
X-BeenThere: spring@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Source Packet Routing in NetworkinG \(SPRING\)" <spring.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spring>, <mailto:spring-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spring/>
List-Post: <mailto:spring@ietf.org>
List-Help: <mailto:spring-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spring>, <mailto:spring-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Oct 2022 01:16:51 -0000

Hi Joel,

> On Oct 7, 2022, at 9:07 PM, Joel Halpern <jmh@joelhalpern.com> wrote:
> 
> Almost, but not quite.  The first part, up to "egress points" is fine.  But the description of the reasons leaves out one case I think is important.  Namely, preventing packets from outside the SR Domain (e.g. from an outside attacker) entering the SRv6 Domain.)
> 
> 

Ah. Got it. This is covered in more detail in RFC8754 Section 5.1 but it makes sense to at least point to it here. Take 2:

NEW:
In case the deployments do not use this allocated prefix additional care needs to be exercised at network ingress and egress points so that SRv6 packets do not leak out of SR domains and they do not accidentally enter SR unaware domains. Similarly as stated in Section 5.1 of RFC8754 packets entering an SR domain from the outside need to be configured to filter out the selected prefix if it is different from the prefix allocated here.

Thoughts?

Regards
Suresh