IETF Logo Mail Archive

Re: [spring] draft-ietf-spring-srv6-srh-compression

Miya Kohno <miya.kohno@gmail.com> Thu, 08 February 2024 02:13 UTC

Return-Path: <miya.kohno@gmail.com>
X-Original-To: spring@ietfa.amsl.com
Delivered-To: spring@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1F42C14F748 for <spring@ietfa.amsl.com>; Wed, 7 Feb 2024 18:13:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.105
X-Spam-Level:
X-Spam-Status: No, score=-7.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AzmuINW4ss0I for <spring@ietfa.amsl.com>; Wed, 7 Feb 2024 18:13:00 -0800 (PST)
Received: from mail-pf1-x42a.google.com (mail-pf1-x42a.google.com [IPv6:2607:f8b0:4864:20::42a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A438C14F6B6 for <spring@ietf.org>; Wed, 7 Feb 2024 18:13:00 -0800 (PST)
Received: by mail-pf1-x42a.google.com with SMTP id d2e1a72fcca58-6e062fa6e00so751228b3a.1 for <spring@ietf.org>; Wed, 07 Feb 2024 18:13:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1707358380; x=1707963180; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=E3vKKJw6YQT2hXfsTm/A7+ilZaXbMmcE4qyJjpvkfE4=; b=Y07Q7PWIEjR9NdkR+KVxWHcsXyRpepGMplHlC/KeN4u8TVPuvqKP9Vo0DW9GOPF/g3 kDwql6pZXM89DUMQXHq41IedpnGyDyHF0OoZ1t4NWPAVe4qeXqbfmFZVt55mQUVNtT+C dv4tlTM0lLlNNajyVPpAZxNGpjoVaLyEQTqTgShjiCJbsWCYGiTq2TtytOGKk2OFsRaq a8AJxI0ngclycfJKg7dKcHJOILenh68+vQ3WZcF2kzsvPp0mWXy1gAdGmdJFh/g8k5uD AsYhUKaJUKmD4ucsa2u4fzfDt2gte9DZxVVjEmkAzZnCnQCJYuawSOcCz/AWWUgGqJCR lsRQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707358380; x=1707963180; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=E3vKKJw6YQT2hXfsTm/A7+ilZaXbMmcE4qyJjpvkfE4=; b=Ps53pI971XxOacG5F9AE2QjmwUxTy78gPQJqo+Z9Vzgi1tvtRBxRA5589ePHWHajzQ Ep846CiLZU8FNfECJJkpWewFabXI8Il3d0nhLFoyzmQrjvKbfxkfSh6QlZXSIq+k8uzr 42GTJnhf5WTbE5tM315pEjg6JwPVcwCFNEVaetUmrgBl/MxukCHwHDJFuhRZcDF0ixWD ElPZ5HSnUYNMEFHSyC84HSR49FOzAl8VbqKCwrc1LwnQdeZXedaTOrsjD3p3s27TSV1o C/HkWbi39U8X/htEPIKmDp2Km1Rq+dKPJ/dT3ZLb0NV1oWpVCdtxCgETr+zSdsX25ZNs QsaA==
X-Forwarded-Encrypted: i=1; AJvYcCXp+nfPmTJFQcvVWjfNOasSp4JqSZVNqkDXaEptUSQdTwX7oq28knafXxYW3PrQBnvxmTtCT51AEL5FlGLqUFg=
X-Gm-Message-State: AOJu0YxWPusFJrzniGsrIRw3Gr2MLfN52GJg1SBxTM48digCCwisDcSv qKfxyRb3hxVwosm7EvXNpMeJlyYWxKDexgzXoQcN5vw4LBx+KjPjdw+KY5A7sMaEUJpFZ+ik6dz XlA3cyOUOU/1Dzv41PvAP7pHa7lYN0Rhobr4=
X-Google-Smtp-Source: AGHT+IHkwIt21OgwI84hMprdbePD0ZF5SQlT2nz4w03HsZ0upmYz11oIuJ7Btr3o1uY+yfM+oZJnk/c3QZAiKKlO0IU=
X-Received: by 2002:a05:6a00:2d0c:b0:6e0:4c3b:3b5c with SMTP id fa12-20020a056a002d0c00b006e04c3b3b5cmr5745738pfb.4.1707358379523; Wed, 07 Feb 2024 18:12:59 -0800 (PST)
MIME-Version: 1.0
References: <DU2PR03MB8021764E2F17F0D527E3FA3CFA472@DU2PR03MB8021.eurprd03.prod.outlook.com> <BL0PR05MB53163A098023244520ADCEEBAE472@BL0PR05MB5316.namprd05.prod.outlook.com> <CAOj+MMEc1R8fZZwgOEF2-mK8S0+PE+zBR3Yz9vwXBh-umQPAjQ@mail.gmail.com> <DU2PR03MB8021CE3063F9E5B59B9A142FFA472@DU2PR03MB8021.eurprd03.prod.outlook.com> <6d32265d55cb4533b7da5d2d25e7c8d4@huawei.com> <DU2PR03MB8021F2F2194249158DE985B9FA462@DU2PR03MB8021.eurprd03.prod.outlook.com> <CABUE3X=LcM3cbaZZqE2KCyHYmd7uwfmhwfKE8gGj7J+MXOjQPA@mail.gmail.com> <BL0PR05MB5316861600A028619034FD14AE452@BL0PR05MB5316.namprd05.prod.outlook.com>
In-Reply-To: <BL0PR05MB5316861600A028619034FD14AE452@BL0PR05MB5316.namprd05.prod.outlook.com>
From: Miya Kohno <miya.kohno@gmail.com>
Date: Thu, 08 Feb 2024 11:12:48 +0900
Message-ID: <CAG99te=u+qSgFkkn1y9cT2Z+iCkZ7vbgWuwMPC2fA0y9PRA9_A@mail.gmail.com>
To: Ron Bonica <rbonica=40juniper.net@dmarc.ietf.org>
Cc: Tal Mizrahi <tal.mizrahi.phd@gmail.com>, Andrew Alston - IETF <andrew-ietf=40liquid.tech@dmarc.ietf.org>, Antoine FRESSANCOURT <antoine.fressancourt=40huawei.com@dmarc.ietf.org>, Robert Raszuk <robert@raszuk.net>, "spring@ietf.org" <spring@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b7445e0610d55959"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spring/EYFzTI1qj1gVAOeDCEsn4i-twVU>
Subject: Re: [spring] draft-ietf-spring-srv6-srh-compression
X-BeenThere: spring@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Source Packet Routing in NetworkinG \(SPRING\)" <spring.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spring>, <mailto:spring-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spring/>
List-Post: <mailto:spring@ietf.org>
List-Help: <mailto:spring-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spring>, <mailto:spring-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Feb 2024 02:13:04 -0000

It can be a good thing, in terms of deterring "man-in-the-middle attack."
:-)

Miya

On Wed, Feb 7, 2024 at 10:45 AM Ron Bonica <rbonica=
40juniper.net@dmarc.ietf.org> wrote:

> Folks,
>
> Someone raised the same objection with regard to the CRH Draft
> <https://datatracker.ietf.org/doc/html/draft-ietf-6man-comp-rtg-hdr-03>.
> Since there iss no easy solution to the problem, the authors simply
> acknowledged the issue in Section 7
> <https://www.ietf.org/archive/id/draft-ietf-6man-comp-rtg-hdr-03.html#name-destination-address-transpa> of
> the draft. So, operators are warned. If you have middleboxes that verify L4
> checksums, don't deploy this technology.
>
> You might want to add a similar section in your draft.
>
>                                                                Ron
>
>
>
> Juniper Business Use Only
> ------------------------------
> *From:* Tal Mizrahi <tal.mizrahi.phd@gmail.com>
> *Sent:* Tuesday, February 6, 2024 9:46 AM
> *To:* Andrew Alston - IETF <andrew-ietf=40liquid.tech@dmarc.ietf.org>
> *Cc:* Antoine FRESSANCOURT <antoine.fressancourt=
> 40huawei.com@dmarc.ietf.org>; Robert Raszuk <robert@raszuk.net>; Ron
> Bonica <rbonica@juniper.net>; spring@ietf.org <spring@ietf.org>
> *Subject:* Re: [spring] draft-ietf-spring-srv6-srh-compression
>
> [External Email. Be cautious of content]
>
>
> Dear Andrew,
>
> A couple of questions regarding the middlebox use case.
>
> 1. I am curious to know whether there are existing middleboxes that
> can verify the L4 checksum for packets with an SRH.
> 2. Can a middlebox verify the L4 checksum of a packet with an SRH *in
> compliance with RFC 8200*?
>   RFC 8200 defines the pseudo-header "At the originating node" and "at
> the recipient(s)", but does not say anything about middleware. Is it
> implicitly assumed that the middleware is an "originating node"?
>
> Cheers,
> Tal.
>
> On Tue, Feb 6, 2024 at 12:16 PM Andrew Alston - IETF
> <andrew-ietf=40liquid.tech@dmarc.ietf.org> wrote:
> >
> > I think it’s only fair to clarify my remarks – again – speaking entirely
> as a contributor.
> >
> >
> >
> > Let’s be clear – the middlware boxes will work in most cases – except
> when there is no SRH.
> >
> >
> >
> > The problem here is that if you apply a Micro-SID – which is imposed by
> originating system – and have no SRH – the DA of the packet is changing
> along the way – and the L4 checksum will be broken.  There is no way to
> actually calculate the correct L4 checksum in flight – and in reality the
> originating system will now need to impose a checksum that is invalid at
> the start for it to be correct at the end – breaking end to end check
> summing.  This is a problem.
> >
> >
> >
> > Let’s look at what 8200 says:
> >
> >
> >
> >       o  If the IPv6 packet contains a Routing header, the Destination
> >
> >          Address used in the pseudo-header is that of the final
> >
> >          destination.  At the originating node, that address will be in
> >
> >          the last element of the Routing header; at the recipient(s),
> >
> >          that address will be in the Destination Address field of the
> >
> >          IPv6 header.
> >
> >
> >
> > Now, in the case of no SRH – the DA address placed by the originating
> host – is *NOT* the final DA – because of the manipulation in the middle.
> >
> >
> >
> > The reality is that middleware boxes are (unfortunately) common –
> especially in this part of the world – they are used by state and other
> entities for DPI and traffic control etc – and they are used for IDS
> purposes etc – and breaking the L4 checksum in flight with no way for these
> boxes to calculate the correct checksum – will break existing deployments –
> that – is a problem and it needs to be addressed.  I would be quite fine if
> there was explicit text detailing this that was explicitly approved by 6man
> as the originators of 8200 (and a clear indication that this document
> updates 8200) – or alternatively a -BIS to 8200.  Either way – if you break
> the checksum – this needs explanatory text and it needs approval for 6man
> via a 6man Last call as far as I am concerned.
> >
> >
> >
> > Thanks
> >
> >
> >
> > Andrew
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > Internal All Employees
> >
> > From: Antoine FRESSANCOURT <antoine.fressancourt=
> 40huawei.com@dmarc.ietf.org>
> > Date: Tuesday, 6 February 2024 at 12:16
> > To: Andrew Alston - IETF <andrew-ietf@liquid.tech>, Robert Raszuk <
> robert@raszuk.net>, Ron Bonica <rbonica@juniper.net>
> > Cc: spring@ietf.org <spring@ietf.org>
> > Subject: RE: [spring] draft-ietf-spring-srv6-srh-compression
> >
> > Hello,
> >
> >
> >
> > I tend to agree with Andrew that the fact that the verification of a L4
> checksum by a middlebox breaks is a problem. But I think this is a huge
> problem with the middleboxes, not with SRv6.
> >
> >
> >
> > According to me, reading RFC 8200 gives rather clear guidelines with
> regards to the computation of the L4 checksum. This checksum should be
> computed using the destination address seen by the destination verifying
> the checksum. As L4 protocols are end to end protocols, the checksum
> verifier is the end point destination of the packet, and not a middlebox on
> the path. If a middlebox breaks the communication by looking at fields it
> should not look at, then the problem is the intervention of the middlebox.
> >
> >
> >
> > Best,
> >
> >
> >
> > Antoine
> >
> >
> >
> >
> >
> > From: spring <spring-bounces@ietf.org> On Behalf Of Andrew Alston - IETF
> > Sent: lundi 5 février 2024 20:32
> > To: Robert Raszuk <robert@raszuk.net>; Ron Bonica <rbonica@juniper.net>
> > Cc: spring@ietf.org
> > Subject: Re: [spring] draft-ietf-spring-srv6-srh-compression
> >
> >
> >
> > I call breaking any middleware that does checksum validation a problem -
> and a big one
> >
> >
> >
> >
> >
> > Andrew Alston
> >
> >
> >
> > Internal All Employees
> >
> > ________________________________
> >
> > From: Robert Raszuk <robert@raszuk.net>
> > Sent: Monday, February 5, 2024 7:16:23 PM
> > To: Ron Bonica <rbonica@juniper.net>
> > Cc: Andrew Alston - IETF <andrew-ietf@liquid.tech>; spring@ietf.org <
> spring@ietf.org>
> > Subject: Re: [spring] draft-ietf-spring-srv6-srh-compression
> >
> >
> >
> > Hi Ron,
> >
> >
> >
> > Is there a problem ?
> >
> >
> >
> > If I read RFC8200 L4 checksum is computed by the packet originator and
> validated by the packet's ultimate receiver.
> >
> >
> >
> > In all SPRING work to the best of my knowledge the vast majority of
> packets are only encapsulated by transit nodes.
> >
> >
> >
> > Is there any formal mandate in any of the RFCs that an encapsulating
> node must mangle the inner packet's L4 checksum ? I don't think so but
> stand open to get my understanding corrected.
> >
> >
> >
> > Cheers,
> >
> > Robert
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > On Mon, Feb 5, 2024 at 5:04 PM Ron Bonica <rbonica=
> 40juniper.net@dmarc.ietf.org> wrote:
> >
> > Folks,
> >
> >
> >
> > Has anyone proposed a solution to the L4 checksum problem that Andrew
> talks about?
> >
> >
> >
> >                                           Ron
> >
> >
> >
> > Juniper Business Use Only
> >
> > ________________________________
> >
> > From: spring <spring-bounces@ietf.org> on behalf of Andrew Alston -
> IETF <andrew-ietf=40liquid.tech@dmarc.ietf.org>
> > Sent: Monday, February 5, 2024 5:21 AM
> > To: spring@ietf.org <spring@ietf.org>
> > Subject: [spring] draft-ietf-spring-srv6-srh-compression
> >
> >
> >
> > [External Email. Be cautious of content]
> >
> >
> >
> > Hi All,
> >
> >
> >
> > (In capacity as a contributor and wearing no other hats)
> >
> >
> >
> > At this point I cannot support progression of this document until the
> issues around the L4 Checksum have been resolved.  It’s been clearly stated
> in other emails on the list that in certain circumstances the behavior
> described in this document break the L4 checksum as defined in RFC8200.
> This requires an update to RFC8200 to fix it – and I’m not sure that spring
> can update 8200 absent the consent of 6man, which I’m not sure has been
> asked for, nor am I sure that a spring document can update something like
> 8200 in an area so fundamental as the checksum without a -BIS, which would
> have to be done via 6man.  The L4 checksum issue though is real – and it
> cannot simply be ignored.
> >
> >
> >
> > I also have deep concerns that the compression document creates
> something that (in a similar way to SRv6) creates something that is
> completely non-conformant with RFC4291.  There are multiple references to
> this in draft-6man-sids, and should draft-6man-sids become an RFC I would
> argue that it should probably be a normative reference in this document –
> on the logic that this document relies on similar RFC4291 violations that
> srv6 itself does (and for the record, just because SRv6 itself violates
> RFC4291 as is clearly documented in draft-6man-sids – does not make it
> acceptable to do so in yet another draft without clear and unambiguously
> stating the deviations and ideally updating RFC4291 to allow for said
> deviations)
> >
> >
> >
> > I believe these two issues alone are sufficient that to pass this
> document would create still further tensions about the relationship between
> SRv6 and IPv6 and lead to confusion.  As such – I believe these issues need
> to be adequately dealt with – and the solutions to them need to be approved
> by 6man as the working group that holds responsibility for ipv6 maintenance.
> >
> >
> >
> > Thanks
> >
> >
> >
> > Andrew Alston
> >
> >
> >
> >
> >
> >
> >
> > Internal All Employees
> >
> > _______________________________________________
> > spring mailing list
> > spring@ietf.org
> >
> https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/spring__;!!NEt6yMaO-gk!EP3H1Kg-F8iNFIm1BpYH1ioC5lNtcd6S3XisWWZon80eZtRk_HyIophSpxWJ3vs0xKMM5bzRHw06xBX92ckK4KYwdw$
> >
> > _______________________________________________
> > spring mailing list
> > spring@ietf.org
> >
> https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/spring__;!!NEt6yMaO-gk!EP3H1Kg-F8iNFIm1BpYH1ioC5lNtcd6S3XisWWZon80eZtRk_HyIophSpxWJ3vs0xKMM5bzRHw06xBX92ckK4KYwdw$
> _______________________________________________
> spring mailing list
> spring@ietf.org
> https://www.ietf.org/mailman/listinfo/spring
>

v2.23.0 | Report a Bug | By Email