Re: [spring] draft-ietf-spring-srv6-srh-compression
Miya Kohno <miya.kohno@gmail.com> Thu, 08 February 2024 02:13 UTC
Return-Path: <miya.kohno@gmail.com>
X-Original-To: spring@ietfa.amsl.com
Delivered-To: spring@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1F42C14F748 for <spring@ietfa.amsl.com>; Wed, 7 Feb 2024 18:13:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.105
X-Spam-Level:
X-Spam-Status: No, score=-7.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AzmuINW4ss0I for <spring@ietfa.amsl.com>; Wed, 7 Feb 2024 18:13:00 -0800 (PST)
Received: from mail-pf1-x42a.google.com (mail-pf1-x42a.google.com [IPv6:2607:f8b0:4864:20::42a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A438C14F6B6 for <spring@ietf.org>; Wed, 7 Feb 2024 18:13:00 -0800 (PST)
Received: by mail-pf1-x42a.google.com with SMTP id d2e1a72fcca58-6e062fa6e00so751228b3a.1 for <spring@ietf.org>; Wed, 07 Feb 2024 18:13:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1707358380; x=1707963180; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=E3vKKJw6YQT2hXfsTm/A7+ilZaXbMmcE4qyJjpvkfE4=; b=Y07Q7PWIEjR9NdkR+KVxWHcsXyRpepGMplHlC/KeN4u8TVPuvqKP9Vo0DW9GOPF/g3 kDwql6pZXM89DUMQXHq41IedpnGyDyHF0OoZ1t4NWPAVe4qeXqbfmFZVt55mQUVNtT+C dv4tlTM0lLlNNajyVPpAZxNGpjoVaLyEQTqTgShjiCJbsWCYGiTq2TtytOGKk2OFsRaq a8AJxI0ngclycfJKg7dKcHJOILenh68+vQ3WZcF2kzsvPp0mWXy1gAdGmdJFh/g8k5uD AsYhUKaJUKmD4ucsa2u4fzfDt2gte9DZxVVjEmkAzZnCnQCJYuawSOcCz/AWWUgGqJCR lsRQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707358380; x=1707963180; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=E3vKKJw6YQT2hXfsTm/A7+ilZaXbMmcE4qyJjpvkfE4=; b=Ps53pI971XxOacG5F9AE2QjmwUxTy78gPQJqo+Z9Vzgi1tvtRBxRA5589ePHWHajzQ Ep846CiLZU8FNfECJJkpWewFabXI8Il3d0nhLFoyzmQrjvKbfxkfSh6QlZXSIq+k8uzr 42GTJnhf5WTbE5tM315pEjg6JwPVcwCFNEVaetUmrgBl/MxukCHwHDJFuhRZcDF0ixWD ElPZ5HSnUYNMEFHSyC84HSR49FOzAl8VbqKCwrc1LwnQdeZXedaTOrsjD3p3s27TSV1o C/HkWbi39U8X/htEPIKmDp2Km1Rq+dKPJ/dT3ZLb0NV1oWpVCdtxCgETr+zSdsX25ZNs QsaA==
X-Forwarded-Encrypted: i=1; AJvYcCXp+nfPmTJFQcvVWjfNOasSp4JqSZVNqkDXaEptUSQdTwX7oq28knafXxYW3PrQBnvxmTtCT51AEL5FlGLqUFg=
X-Gm-Message-State: AOJu0YxWPusFJrzniGsrIRw3Gr2MLfN52GJg1SBxTM48digCCwisDcSv qKfxyRb3hxVwosm7EvXNpMeJlyYWxKDexgzXoQcN5vw4LBx+KjPjdw+KY5A7sMaEUJpFZ+ik6dz XlA3cyOUOU/1Dzv41PvAP7pHa7lYN0Rhobr4=
X-Google-Smtp-Source: AGHT+IHkwIt21OgwI84hMprdbePD0ZF5SQlT2nz4w03HsZ0upmYz11oIuJ7Btr3o1uY+yfM+oZJnk/c3QZAiKKlO0IU=
X-Received: by 2002:a05:6a00:2d0c:b0:6e0:4c3b:3b5c with SMTP id fa12-20020a056a002d0c00b006e04c3b3b5cmr5745738pfb.4.1707358379523; Wed, 07 Feb 2024 18:12:59 -0800 (PST)
MIME-Version: 1.0
References: <DU2PR03MB8021764E2F17F0D527E3FA3CFA472@DU2PR03MB8021.eurprd03.prod.outlook.com> <BL0PR05MB53163A098023244520ADCEEBAE472@BL0PR05MB5316.namprd05.prod.outlook.com> <CAOj+MMEc1R8fZZwgOEF2-mK8S0+PE+zBR3Yz9vwXBh-umQPAjQ@mail.gmail.com> <DU2PR03MB8021CE3063F9E5B59B9A142FFA472@DU2PR03MB8021.eurprd03.prod.outlook.com> <6d32265d55cb4533b7da5d2d25e7c8d4@huawei.com> <DU2PR03MB8021F2F2194249158DE985B9FA462@DU2PR03MB8021.eurprd03.prod.outlook.com> <CABUE3X=LcM3cbaZZqE2KCyHYmd7uwfmhwfKE8gGj7J+MXOjQPA@mail.gmail.com> <BL0PR05MB5316861600A028619034FD14AE452@BL0PR05MB5316.namprd05.prod.outlook.com>
In-Reply-To: <BL0PR05MB5316861600A028619034FD14AE452@BL0PR05MB5316.namprd05.prod.outlook.com>
From: Miya Kohno <miya.kohno@gmail.com>
Date: Thu, 08 Feb 2024 11:12:48 +0900
Message-ID: <CAG99te=u+qSgFkkn1y9cT2Z+iCkZ7vbgWuwMPC2fA0y9PRA9_A@mail.gmail.com>
To: Ron Bonica <rbonica=40juniper.net@dmarc.ietf.org>
Cc: Tal Mizrahi <tal.mizrahi.phd@gmail.com>, Andrew Alston - IETF <andrew-ietf=40liquid.tech@dmarc.ietf.org>, Antoine FRESSANCOURT <antoine.fressancourt=40huawei.com@dmarc.ietf.org>, Robert Raszuk <robert@raszuk.net>, "spring@ietf.org" <spring@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b7445e0610d55959"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spring/EYFzTI1qj1gVAOeDCEsn4i-twVU>
Subject: Re: [spring] draft-ietf-spring-srv6-srh-compression
X-BeenThere: spring@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Source Packet Routing in NetworkinG \(SPRING\)" <spring.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spring>, <mailto:spring-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spring/>
List-Post: <mailto:spring@ietf.org>
List-Help: <mailto:spring-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spring>, <mailto:spring-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Feb 2024 02:13:04 -0000
It can be a good thing, in terms of deterring "man-in-the-middle attack." :-) Miya On Wed, Feb 7, 2024 at 10:45 AM Ron Bonica <rbonica= 40juniper.net@dmarc.ietf.org> wrote: > Folks, > > Someone raised the same objection with regard to the CRH Draft > <https://datatracker.ietf.org/doc/html/draft-ietf-6man-comp-rtg-hdr-03>. > Since there iss no easy solution to the problem, the authors simply > acknowledged the issue in Section 7 > <https://www.ietf.org/archive/id/draft-ietf-6man-comp-rtg-hdr-03.html#name-destination-address-transpa> of > the draft. So, operators are warned. If you have middleboxes that verify L4 > checksums, don't deploy this technology. > > You might want to add a similar section in your draft. > > Ron > > > > Juniper Business Use Only > ------------------------------ > *From:* Tal Mizrahi <tal.mizrahi.phd@gmail.com> > *Sent:* Tuesday, February 6, 2024 9:46 AM > *To:* Andrew Alston - IETF <andrew-ietf=40liquid.tech@dmarc.ietf.org> > *Cc:* Antoine FRESSANCOURT <antoine.fressancourt= > 40huawei.com@dmarc.ietf.org>; Robert Raszuk <robert@raszuk.net>; Ron > Bonica <rbonica@juniper.net>; spring@ietf.org <spring@ietf.org> > *Subject:* Re: [spring] draft-ietf-spring-srv6-srh-compression > > [External Email. Be cautious of content] > > > Dear Andrew, > > A couple of questions regarding the middlebox use case. > > 1. I am curious to know whether there are existing middleboxes that > can verify the L4 checksum for packets with an SRH. > 2. Can a middlebox verify the L4 checksum of a packet with an SRH *in > compliance with RFC 8200*? > RFC 8200 defines the pseudo-header "At the originating node" and "at > the recipient(s)", but does not say anything about middleware. Is it > implicitly assumed that the middleware is an "originating node"? > > Cheers, > Tal. > > On Tue, Feb 6, 2024 at 12:16 PM Andrew Alston - IETF > <andrew-ietf=40liquid.tech@dmarc.ietf.org> wrote: > > > > I think it’s only fair to clarify my remarks – again – speaking entirely > as a contributor. > > > > > > > > Let’s be clear – the middlware boxes will work in most cases – except > when there is no SRH. > > > > > > > > The problem here is that if you apply a Micro-SID – which is imposed by > originating system – and have no SRH – the DA of the packet is changing > along the way – and the L4 checksum will be broken. There is no way to > actually calculate the correct L4 checksum in flight – and in reality the > originating system will now need to impose a checksum that is invalid at > the start for it to be correct at the end – breaking end to end check > summing. This is a problem. > > > > > > > > Let’s look at what 8200 says: > > > > > > > > o If the IPv6 packet contains a Routing header, the Destination > > > > Address used in the pseudo-header is that of the final > > > > destination. At the originating node, that address will be in > > > > the last element of the Routing header; at the recipient(s), > > > > that address will be in the Destination Address field of the > > > > IPv6 header. > > > > > > > > Now, in the case of no SRH – the DA address placed by the originating > host – is *NOT* the final DA – because of the manipulation in the middle. > > > > > > > > The reality is that middleware boxes are (unfortunately) common – > especially in this part of the world – they are used by state and other > entities for DPI and traffic control etc – and they are used for IDS > purposes etc – and breaking the L4 checksum in flight with no way for these > boxes to calculate the correct checksum – will break existing deployments – > that – is a problem and it needs to be addressed. I would be quite fine if > there was explicit text detailing this that was explicitly approved by 6man > as the originators of 8200 (and a clear indication that this document > updates 8200) – or alternatively a -BIS to 8200. Either way – if you break > the checksum – this needs explanatory text and it needs approval for 6man > via a 6man Last call as far as I am concerned. > > > > > > > > Thanks > > > > > > > > Andrew > > > > > > > > > > > > > > > > > > > > > > Internal All Employees > > > > From: Antoine FRESSANCOURT <antoine.fressancourt= > 40huawei.com@dmarc.ietf.org> > > Date: Tuesday, 6 February 2024 at 12:16 > > To: Andrew Alston - IETF <andrew-ietf@liquid.tech>, Robert Raszuk < > robert@raszuk.net>, Ron Bonica <rbonica@juniper.net> > > Cc: spring@ietf.org <spring@ietf.org> > > Subject: RE: [spring] draft-ietf-spring-srv6-srh-compression > > > > Hello, > > > > > > > > I tend to agree with Andrew that the fact that the verification of a L4 > checksum by a middlebox breaks is a problem. But I think this is a huge > problem with the middleboxes, not with SRv6. > > > > > > > > According to me, reading RFC 8200 gives rather clear guidelines with > regards to the computation of the L4 checksum. This checksum should be > computed using the destination address seen by the destination verifying > the checksum. As L4 protocols are end to end protocols, the checksum > verifier is the end point destination of the packet, and not a middlebox on > the path. If a middlebox breaks the communication by looking at fields it > should not look at, then the problem is the intervention of the middlebox. > > > > > > > > Best, > > > > > > > > Antoine > > > > > > > > > > > > From: spring <spring-bounces@ietf.org> On Behalf Of Andrew Alston - IETF > > Sent: lundi 5 février 2024 20:32 > > To: Robert Raszuk <robert@raszuk.net>; Ron Bonica <rbonica@juniper.net> > > Cc: spring@ietf.org > > Subject: Re: [spring] draft-ietf-spring-srv6-srh-compression > > > > > > > > I call breaking any middleware that does checksum validation a problem - > and a big one > > > > > > > > > > > > Andrew Alston > > > > > > > > Internal All Employees > > > > ________________________________ > > > > From: Robert Raszuk <robert@raszuk.net> > > Sent: Monday, February 5, 2024 7:16:23 PM > > To: Ron Bonica <rbonica@juniper.net> > > Cc: Andrew Alston - IETF <andrew-ietf@liquid.tech>; spring@ietf.org < > spring@ietf.org> > > Subject: Re: [spring] draft-ietf-spring-srv6-srh-compression > > > > > > > > Hi Ron, > > > > > > > > Is there a problem ? > > > > > > > > If I read RFC8200 L4 checksum is computed by the packet originator and > validated by the packet's ultimate receiver. > > > > > > > > In all SPRING work to the best of my knowledge the vast majority of > packets are only encapsulated by transit nodes. > > > > > > > > Is there any formal mandate in any of the RFCs that an encapsulating > node must mangle the inner packet's L4 checksum ? I don't think so but > stand open to get my understanding corrected. > > > > > > > > Cheers, > > > > Robert > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Mon, Feb 5, 2024 at 5:04 PM Ron Bonica <rbonica= > 40juniper.net@dmarc.ietf.org> wrote: > > > > Folks, > > > > > > > > Has anyone proposed a solution to the L4 checksum problem that Andrew > talks about? > > > > > > > > Ron > > > > > > > > Juniper Business Use Only > > > > ________________________________ > > > > From: spring <spring-bounces@ietf.org> on behalf of Andrew Alston - > IETF <andrew-ietf=40liquid.tech@dmarc.ietf.org> > > Sent: Monday, February 5, 2024 5:21 AM > > To: spring@ietf.org <spring@ietf.org> > > Subject: [spring] draft-ietf-spring-srv6-srh-compression > > > > > > > > [External Email. Be cautious of content] > > > > > > > > Hi All, > > > > > > > > (In capacity as a contributor and wearing no other hats) > > > > > > > > At this point I cannot support progression of this document until the > issues around the L4 Checksum have been resolved. It’s been clearly stated > in other emails on the list that in certain circumstances the behavior > described in this document break the L4 checksum as defined in RFC8200. > This requires an update to RFC8200 to fix it – and I’m not sure that spring > can update 8200 absent the consent of 6man, which I’m not sure has been > asked for, nor am I sure that a spring document can update something like > 8200 in an area so fundamental as the checksum without a -BIS, which would > have to be done via 6man. The L4 checksum issue though is real – and it > cannot simply be ignored. > > > > > > > > I also have deep concerns that the compression document creates > something that (in a similar way to SRv6) creates something that is > completely non-conformant with RFC4291. There are multiple references to > this in draft-6man-sids, and should draft-6man-sids become an RFC I would > argue that it should probably be a normative reference in this document – > on the logic that this document relies on similar RFC4291 violations that > srv6 itself does (and for the record, just because SRv6 itself violates > RFC4291 as is clearly documented in draft-6man-sids – does not make it > acceptable to do so in yet another draft without clear and unambiguously > stating the deviations and ideally updating RFC4291 to allow for said > deviations) > > > > > > > > I believe these two issues alone are sufficient that to pass this > document would create still further tensions about the relationship between > SRv6 and IPv6 and lead to confusion. As such – I believe these issues need > to be adequately dealt with – and the solutions to them need to be approved > by 6man as the working group that holds responsibility for ipv6 maintenance. > > > > > > > > Thanks > > > > > > > > Andrew Alston > > > > > > > > > > > > > > > > Internal All Employees > > > > _______________________________________________ > > spring mailing list > > spring@ietf.org > > > https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/spring__;!!NEt6yMaO-gk!EP3H1Kg-F8iNFIm1BpYH1ioC5lNtcd6S3XisWWZon80eZtRk_HyIophSpxWJ3vs0xKMM5bzRHw06xBX92ckK4KYwdw$ > > > > _______________________________________________ > > spring mailing list > > spring@ietf.org > > > https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/spring__;!!NEt6yMaO-gk!EP3H1Kg-F8iNFIm1BpYH1ioC5lNtcd6S3XisWWZon80eZtRk_HyIophSpxWJ3vs0xKMM5bzRHw06xBX92ckK4KYwdw$ > _______________________________________________ > spring mailing list > spring@ietf.org > https://www.ietf.org/mailman/listinfo/spring >
- [spring] draft-ietf-spring-srv6-srh-compression Andrew Alston - IETF
- Re: [spring] draft-ietf-spring-srv6-srh-compressi… Ron Bonica
- Re: [spring] draft-ietf-spring-srv6-srh-compressi… Robert Raszuk
- Re: [spring] draft-ietf-spring-srv6-srh-compressi… Andrew Alston - IETF
- Re: [spring] draft-ietf-spring-srv6-srh-compressi… Nick Buraglio
- Re: [spring] draft-ietf-spring-srv6-srh-compressi… Antoine FRESSANCOURT
- Re: [spring] draft-ietf-spring-srv6-srh-compressi… Andrew Alston - IETF
- Re: [spring] draft-ietf-spring-srv6-srh-compressi… Tal Mizrahi
- Re: [spring] draft-ietf-spring-srv6-srh-compressi… Eduard Metz
- Re: [spring] draft-ietf-spring-srv6-srh-compressi… Nick Hilliard
- Re: [spring] draft-ietf-spring-srv6-srh-compressi… Nick Buraglio
- Re: [spring] draft-ietf-spring-srv6-srh-compressi… Ron Bonica
- Re: [spring] draft-ietf-spring-srv6-srh-compressi… Nick Hilliard
- Re: [spring] draft-ietf-spring-srv6-srh-compressi… Andrew Alston - IETF
- Re: [spring] draft-ietf-spring-srv6-srh-compressi… Robert Raszuk
- Re: [spring] draft-ietf-spring-srv6-srh-compressi… Miya Kohno
- Re: [spring] draft-ietf-spring-srv6-srh-compressi… Francois Clad
- Re: [spring] draft-ietf-spring-srv6-srh-compressi… Robert Raszuk
- Re: [spring] draft-ietf-spring-srv6-srh-compressi… Nick Buraglio
- Re: [spring] draft-ietf-spring-srv6-srh-compressi… Robert Raszuk
- Re: [spring] draft-ietf-spring-srv6-srh-compressi… Gyan Mishra
- Re: [spring] draft-ietf-spring-srv6-srh-compressi… Francois Clad
- Re: [spring] draft-ietf-spring-srv6-srh-compressi… Robert Raszuk
- Re: [spring] draft-ietf-spring-srv6-srh-compressi… Robert Raszuk
- Re: [spring] draft-ietf-spring-srv6-srh-compressi… Greg Mirsky
- Re: [spring] draft-ietf-spring-srv6-srh-compressi… Eduard Metz
- Re: [spring] draft-ietf-spring-srv6-srh-compressi… Robert Raszuk
- Re: [spring] draft-ietf-spring-srv6-srh-compressi… Francois Clad
- Re: [spring] draft-ietf-spring-srv6-srh-compressi… Mark Smith
- Re: [spring] draft-ietf-spring-srv6-srh-compressi… Mark Smith
- Re: [spring] draft-ietf-spring-srv6-srh-compressi… Greg Mirsky
- Re: [spring] draft-ietf-spring-srv6-srh-compressi… Greg Mirsky