Re: [spring] [Int-area] FW: New Version Notification for draft-raviolli-intarea-trusted-domain-srv6-00.txt

Ron Bonica <rbonica@juniper.net> Wed, 05 April 2023 16:01 UTC

Return-Path: <rbonica@juniper.net>
X-Original-To: spring@ietfa.amsl.com
Delivered-To: spring@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8619EC15C2AB; Wed, 5 Apr 2023 09:01:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.797
X-Spam-Level:
X-Spam-Status: No, score=-2.797 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net header.b="EGs2B4qp"; dkim=pass (1024-bit key) header.d=juniper.net header.b="BjTcEYSX"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T-MTP6iA08cD; Wed, 5 Apr 2023 09:01:12 -0700 (PDT)
Received: from mx0a-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 96BFEC151B3D; Wed, 5 Apr 2023 09:01:12 -0700 (PDT)
Received: from pps.filterd (m0108159.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 335C0r9U016453; Wed, 5 Apr 2023 09:01:11 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=PPS1017; bh=yrc9uvM7BN/PxO+EQQ5ba5CDS5GZ1veTlODpn2FyOvs=; b=EGs2B4qpCD8V/41b+onz0aUROxTANgh7vdCEzRUICXZ42PnVQOLcgB8MHb/HKVrKE+G6 fwge/wgz2b4FV56scvshEroXXRvneo1k/+6v+NMiQjrw7uYh2GulMnvVGmQIk2rbzicn pWZEUsEcfRYWZIi7Y55e5i6bm3rkKtdEB1QsT2o7Y5Vt2x3KZ85bQMN88+IVQyudfYru NR6Y2tnesCgbG5LKW1Veyb/De46BJ5WIjRl5dw1uDwT7DpJ6/4zGTAuPuMsw7G/IRyb0 cATIsSObEv9jeARhOIwmrB0NCqyxGNGH9Ory2LUhe7mRGIYy4Z0XwNm/+RHSi9sCgCJt Vw==
Received: from dm4pr02cu001-vft-obe.outbound.protection.outlook.com (mail-centralusazlp17012020.outbound.protection.outlook.com [40.93.13.20]) by mx0a-00273201.pphosted.com (PPS) with ESMTPS id 3prguaax2e-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 05 Apr 2023 09:01:10 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=OWuvBxeR+a+o5VYCz8BuAqAE9sCNeCULeev+Cz4UgCMH2e7iaY4Dv46p1Xw0mbbF+YlfZxG2kKjPZ6iPjHmuz+wMJbD6mpVHR9tSfhpcfF5YFhrP7UMlu86/xl6Yz3HbyfUbmxWAmIuYxfels5uIsk5yL6912iVEKff5Ym6QrYS7ivqhpsdOLBFWvi0AxGDsIzLcdSydQZrrRhHJriHw5cOZGZSJM5quvtXof8AXOwJ4M7y7XDQ91ahfEba+a/DU+c+RQaxgMnFolbPH6crhD216N4YXh13zlVq9Ol9/TiR+He4zrHECXAFOlMzIVNt9NisebP5FtVtv9VvGZp+5oA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=yrc9uvM7BN/PxO+EQQ5ba5CDS5GZ1veTlODpn2FyOvs=; b=lzIlQS6Mrtk1OsHNmZcTfoUN7IMS/2uddaFHL9fSOVu+/h7ZctQoQ7ql9NrDHz1PzOXXvlfm6S/8WztoiAvRkGdy28zknHUkMap3VBXUYidY2Y4tvMsdx2XyuT2PAxzw5GS01NHGmyQoukQXT1TTZLF+Z6xP9xbZ9j7zPQFAYccFBB652cpnw9edAKQ9AWLuzcKE/jssuCb0R4v20P1awiS+wDCaR8RUOvkmQNkZnuYP6iiPNzDOv7V+SlEPI85F+VDfvFau3PON255oX0B4I2hJjbIYOMotO07HJttIA5OFcIGHrzPtVshes2uZEK8MetKrfa4Ey6ZxA6ufT16ryw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=juniper.net; dmarc=pass action=none header.from=juniper.net; dkim=pass header.d=juniper.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=yrc9uvM7BN/PxO+EQQ5ba5CDS5GZ1veTlODpn2FyOvs=; b=BjTcEYSXYmVBTmSfiinL7dD8jWhsPZvL3W1qIHcpNbTMbNdICzrfGBui3o5BpSOONKjuWfMReB973DBoIKsDemPvZPoC73t/satL5kzTLNBTfvbbpD5LcQP5hgx5/TAfjtpAD9lP7NCKBn5LxpnbBlVOJbPC3fLzJEPkL6fEL0I=
Received: from BL0PR05MB5316.namprd05.prod.outlook.com (2603:10b6:208:2f::25) by DM6PR05MB4171.namprd05.prod.outlook.com (2603:10b6:5:92::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6254.35; Wed, 5 Apr 2023 16:01:05 +0000
Received: from BL0PR05MB5316.namprd05.prod.outlook.com ([fe80::dec:b4fb:f334:bfac]) by BL0PR05MB5316.namprd05.prod.outlook.com ([fe80::dec:b4fb:f334:bfac%7]) with mapi id 15.20.6254.033; Wed, 5 Apr 2023 16:01:05 +0000
From: Ron Bonica <rbonica@juniper.net>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>, Tony Przygienda <tonysietf@gmail.com>
CC: Krzysztof Szarkowicz <kszarkowicz@juniper.net>, Kireeti Kompella <kireeti.ietf@gmail.com>, "spring@ietf.org" <spring@ietf.org>, "int-area@ietf.org" <int-area@ietf.org>, Andrew Alston - IETF <andrew-ietf@liquid.tech>
Thread-Topic: [Int-area] [spring] FW: New Version Notification for draft-raviolli-intarea-trusted-domain-srv6-00.txt
Thread-Index: AQHZZANXdfjVjOgtM0OdAYkfX6d5ea8WvbEAgAArfYCABfseEA==
Date: Wed, 05 Apr 2023 16:01:05 +0000
Message-ID: <BL0PR05MB53162172D9B385BE34AF3EB9AE909@BL0PR05MB5316.namprd05.prod.outlook.com>
References: <072001d9611c$622fd220$268f7660$@olddog.co.uk> <B752E544-9E57-4DC8-8C34-5C17D7D9AF10@gmail.com> <CA+wi2hNGhkpysxHWiv25ZgdRMm22TWnNJ49PkWfyO0QficRnTQ@mail.gmail.com> <6F3EACD5-5AAC-477A-BB26-F50C4C115BB7@juniper.net> <BL0PR05MB531667C442FBEE791CD5B2ECAE8F9@BL0PR05MB5316.namprd05.prod.outlook.com> <BL0PR05MB5316D8BDF208FC6361D37934AE8F9@BL0PR05MB5316.namprd05.prod.outlook.com> <63276c1a-33d7-7cdc-28ad-6c627ae75a67@gmail.com> <CA+wi2hM9P1TiN2Z1_6w8mN3Xxfg2+YcrL0CQs8xY+3=q=EW0YQ@mail.gmail.com> <2af3ab48-79d1-87a8-65c9-025aa8d4152d@gmail.com>
In-Reply-To: <2af3ab48-79d1-87a8-65c9-025aa8d4152d@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_ActionId=a6a50305-d523-4b8c-b089-7ffc18794f2d; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_ContentBits=0; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Enabled=true; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Method=Standard; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Name=0633b888-ae0d-4341-a75f-06e04137d755; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SetDate=2023-04-05T15:49:10Z; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SiteId=bea78b3c-4cdb-4130-854a-1d193232e5f4;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BL0PR05MB5316:EE_|DM6PR05MB4171:EE_
x-ms-office365-filtering-correlation-id: 501e10da-41b1-43f4-ed06-08db35eef62b
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: kdlfwfsUX6paQpDcOayZEHDTfV+IMqCbmGlzI+bMCgCcHFHqx1dbxnWEc8oPf0N3aKvAoCj2aTkY/kwBHF4JJDAm2JGennfx/YMzz5HnxevtPm2xtJ6eSRQ7J43JBB7e7R/xU657OOJoQpfvWtIgXbAsnHkO9/tkttXLbS2tqib9POq/Xa4vzVot5CwHR+BujWv/a9XpcsiWJI5EI6iNtg//bp1Lc850Fsftvy235Cuo9cBwkS8sRccWwcjNOR+S549Jq3lr+BxLPJg2cJ6CT26cc8j0oNVS1szb3nte5sF/8V36jsYCt6L8eQDR2VnsdCfK+boAg7wmfNeiPinB5ExDNlOoMOD60qgyqBj1YmJKmHDSp55qmVp2xxqGes8v7ddlGsFFp25HrR7dDdUWBG88im285mfEj6m5Dx1720w71P9ZpgKUbimd0WUxnRyXMbHB3Wx1EaXN5K03i7V2FOUMdASsByD208Y/lzL2TSsYiVhjNU38DaK/jlhNXlha9+Z3jZ3fh4hXN2h1GaqkhsyRyK0p3Ht7GLovV8ICZnfrggYzgQa2k/XTZISDk91L7lmBWk9Dcbb7Uz3rgfWmJfvN/LxLWnsJdhECorUhaWZyagZfVa99q62WJWbozkf9lXQsz1Rwzh9SCM4iuTQJ5Q==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BL0PR05MB5316.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(39860400002)(346002)(366004)(136003)(376002)(396003)(451199021)(966005)(83380400001)(54906003)(7696005)(71200400001)(6506007)(186003)(316002)(9686003)(26005)(53546011)(478600001)(110136005)(5660300002)(15650500001)(2906002)(8936002)(33656002)(122000001)(66476007)(38100700002)(66946007)(64756008)(66556008)(66446008)(38070700005)(41300700001)(86362001)(76116006)(8676002)(4326008)(52536014)(66574015)(55016003); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: RXkrIKJn7Zs9tJF16aI2baskx46PD9dcjV/50LnPLDEEN/GeRMQYfoCB6DMM0qKBdbX3cp7QS+gIrrc2OcDcNC80WuZzpX63jLKIT8yK4TFFH/eOnPxshiLRNSI3F0LyjRANJ9AvfpU97gvvQyykTvrUQytsle2ul/ZwQKB7PicFLTFmAyTsnSlyi8HW+9IPHDoRHPwyoX6j2880oOFlmTCdulw2WgQpfn8hZ8JbRt5noj56zVWsxdLTF0TaAL2rHBl9mFrkCMwCvFRjAl9KoYiirE0vfVQZhD7gbDFHKyVl8suPZjmqWhHZt0rtoNdHoqZa5KZ7nRZ52Yqzf6hLUqAt/rMgcS4gyo2wQka45K3f6q7gGl0BhjttT9eHl1tu5GnwYwOKszfywi2zhQOK/0uZCddIykxhlUDHehr7216XPysc3XV0cK+lbGF3+LjCBoQFOx0AgnJAjEDYZEOYdQVOfhbNDOYf+Rnpsis/wKfeflKY9Q3LkahGfLwiYCvealvi4xryVZ/M1svbfQs6q4LbjuFBIJ6DijULRsHnxpBLb/qs0jPUA5d7UoH4/fOlrK3XJ2xw3qVWdeKAJ6oom/0cDIelxtJCmkLLUWZpDWxcJQzgHJX9CwJ+wnMUVlKEa1AFblnohhXiOi3orLxFrOGuLRSAhbw2UzZiSGR4plPqzhHcCiXLYSdJMR4xhtn0USlYAvWRzC2x5mLM7b6rbKUPCadTUofrs1u/ZqV4f1/WuPjL3vhffTEEtdbK+k1sUoWlfYBAhNuP7bPJHxD+2vWM81dOeS97M2ZZTphGiFcPXFDCLovu3Nck0uBUs3rU7bdV++KfJs84stdwGkJl0NyHvg0yR/QE7QxuQ28aLQAjlcNlQI38Ze0a+c+p4lXXTg+Wz0ToK7F9/V7aHR5oz1tGL6YAo0497DHpHEEopxi3hZKJG4PlXZ4Fjnu9Lg/iX1biJAA6f5lUSz7V3/cWZuXO4ASNx/WxaZfP7WRiEZQZop3ONkEL4Sp67rfJ6UA48eIDPqUkTLAuFvxPPm8lOWSB4N/02w/hypSZ7Qpy0unqEIXy26ztj7zdH3onogz8VPFa2rKARIVMWVMDwj9p8SKk1s6K/em1GPQJIAbVoJIuvu/E6lRC+eWyo497sT2rO87MQK7+wpApBLHPk/cuF91lhkgjL/N2sjRv0JGuqNul4HTm5+rmUEDw+FXMsdIWJd7WWrnkHm0UbZQRg1D/jsHyAUaKtQl39gxHCZvoB84jcltWDP9tAACfUsrXDrY7aaURbByK9PCeehW0C/te3Jy5id3Z0+Xopm59tncBUxKIbbePU3b2qO53VKNJJqMmP1uDf1/p/nz1CQqaGtVwfmWGt0r/ObXNGNnTO3NM9721m6bKgcXjM53uxqfRcAC65g7bUQMODqqCaHuzE4MjrGqFr41udrG8tQtTceZakujstYU2zmc3H+go8yEbYfb0bv5iNx7xSRB4Auuri9N1Caw3x2iloWvxu9QZPBG5Z6cPm+tfRw4xT6hftQbrnv9uJoE3ZbZ/hNYlJBS0mOSAdeR5WI0EYQQs05KAfx5IPt7Ftz44nctcbp9XgL2Vs3H4
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BL0PR05MB5316.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 501e10da-41b1-43f4-ed06-08db35eef62b
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Apr 2023 16:01:05.1291 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 7JY/oxnrlLect4Oel6lfLgY0i8z4+kpdnCkX3azoQ6RbOYc5dJPIshhjQHq8p69S+CjCe+/fDQhlSWAXmC+olw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR05MB4171
X-Proofpoint-ORIG-GUID: I4c-gweWwVf5zea6QeEYI9qlBV2ASX-a
X-Proofpoint-GUID: I4c-gweWwVf5zea6QeEYI9qlBV2ASX-a
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22 definitions=2023-04-05_09,2023-04-05_01,2023-02-09_01
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 suspectscore=0 adultscore=0 mlxlogscore=999 clxscore=1011 priorityscore=1501 impostorscore=0 phishscore=0 bulkscore=0 lowpriorityscore=0 mlxscore=0 malwarescore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2303200000 definitions=main-2304050145
Archived-At: <https://mailarchive.ietf.org/arch/msg/spring/Lc5Vf1rv_IkQzrMk8pBA85NzFM4>
Subject: Re: [spring] [Int-area] FW: New Version Notification for draft-raviolli-intarea-trusted-domain-srv6-00.txt
X-BeenThere: spring@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Source Packet Routing in NetworkinG \(SPRING\)" <spring.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spring>, <mailto:spring-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spring/>
List-Post: <mailto:spring@ietf.org>
List-Help: <mailto:spring-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spring>, <mailto:spring-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Apr 2023 16:01:16 -0000

Brian, Tony,

You are both right! The following are possible solutions:

1) encoding the layer-3 protocol in the Ethertype (just as we have always done)
2) encoding the layer-3 protocol in the IPv6 address (as proposed recently)

Solution #1 is hard to deploy but maintains operability. Solution #2 is easy to deploy but hurts operability.

So, we ask ourselves when we want to pay the price? During deployment? For years after deployment?

                                                           Ron


-----Original Message-----
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Sent: Saturday, April 1, 2023 4:29 PM
To: Tony Przygienda <tonysietf@gmail.com>
Cc: Ron Bonica <rbonica@juniper.net>; Krzysztof Szarkowicz <kszarkowicz@juniper.net>; Kireeti Kompella <kireeti.ietf@gmail.com>; spring@ietf.org; int-area@ietf.org; Andrew Alston - IETF <andrew-ietf@liquid.tech>
Subject: Re: [Int-area] [spring] FW: New Version Notification for draft-raviolli-intarea-trusted-domain-srv6-00.txt

[External Email. Be cautious of content]


Tony,

On 02-Apr-23 05:53, Tony Przygienda wrote:
> ?
>
> I heard the argument that IPv6 address space is large and "easy to carve up to mean other things" since about as long IPv6 started to gain traction. The wisdom of that has been thankfully so far questioned. BIER was also approached by people who hoped we would create a precedent by taking a /8 or /16 or something and use the rest of bits to stick bitmasks in. Expediency overriding architecture and all that usual jazz ...

I have all kinds of angst about using magic bit patterns in IPv6 addresses to convey semantics. Addresses are for getting packets from one end to other, period. However, my main interest is to prevent SRV6 SIDs doing any kind of damage to the universal deployment of IPv6. From that point of view, a new Ethertype would be great because it automatically prevents SRV6 SIDs deployment on the Internet rather than within limited domains.

But that doesn't affect what I said: *deploying* a new Ethertype is much, much harder than deploying draft-ietf-6man-sids.

>
> Yes, it's easy to "quickly deploy" and taken to the bitter conclusion we'll stop having a decently economic, secure and debuggable IP forwarding path, instead we end up building IP host address firewall scanning things into layer 4 to find violations in complex constructs masquerading under addresses and IP "extension headers" and build lots of "kind of limited but not so limited and kind of secur'ish domains". Firewalls have their place but routers are not firewalls.

I don't see where layer 4 comes in. SRV6 adds semantics to layer 3. Layer 3 ACLs have existed much longer than firewalls. draft-ietf-6man-sids enables the non-SRV6 Internet to drop SRV6 SIDs traffic without any kind of DPI, exactly as a new Ethertype would.

Regards
    Brian

>
> -- tony
>
> On Fri, Mar 31, 2023 at 9:00 PM Brian E Carpenter <brian.e.carpenter@gmail.com <mailto:brian.e.carpenter@gmail.com>> wrote:
>
>     On 01-Apr-23 06:18, Ron Bonica wrote:
>      > On second thought, if we had the new ethertype, we wouldn’t need the new /16!
>      >
>      > They serve the same function
>
>     However, a new special-purpose prefix is rather trivial to deploy compared with a new Ethertype.
>
>          Brian
>
>      >
>      >                                                                          Ron
>      >
>      > *From:* Ron Bonica
>      > *Sent:* Friday, March 31, 2023 1:05 PM
>      > *To:* Krzysztof Szarkowicz <kszarkowicz=40juniper.net@dmarc.ietf.org <mailto:40juniper.net@dmarc.ietf.org>>; Kireeti Kompella <kireeti.ietf@gmail.com <mailto:kireeti.ietf@gmail.com>>
>      > *Cc:* Adrian Farrel <adrian@olddog.co.uk <mailto:adrian@olddog.co.uk>>; Andrew Alston - IETF <andrew-ietf=40liquid.tech@dmarc.ietf.org <mailto:40liquid.tech@dmarc.ietf.org>>; int-area@ietf.org <mailto:int-area@ietf.org>; spring@ietf.org <mailto:spring@ietf.org>; Dr. Tony Przygienda <tonysietf@gmail.com <mailto:tonysietf@gmail.com>>
>      > *Subject:* RE: [spring] [Int-area] FW: New Version Notification for draft-raviolli-intarea-trusted-domain-srv6-00.txt
>      >
>      > +1
>      >
>      > If we allocate a /16 for SRv6 USIDs, as proposed in https://urldefense.com/v3/__https://www.ietf.org/archive/id/draft-ietf-6man-sids-02.txt__;!!NEt6yMaO-gk!BiTuIcxt0Ilyt3xUm8Pm49DTBXGfLjUClSHBUzaSKbUH2go-4awqdPhtvHoUFKIT4YxuCNmBrQPF-ViHX9JRxTWX7eI$  <https://urldefense.com/v3/__https://www.ietf.org/archive/id/draft-ietf-6man-sids-02.txt__;!!NEt6yMaO-gk!BiTuIcxt0Ilyt3xUm8Pm49DTBXGfLjUClSHBUzaSKbUH2go-4awqdPhtvHoUFKIT4YxuCNmBrQPF-ViHX9JRxTWX7eI$ > <https://urldefense.com/v3/__https://www.ietf.org/archive/id/draft-ietf-6man-sids-02.txt__;!!NEt6yMaO-gk!BiTuIcxt0Ilyt3xUm8Pm49DTBXGfLjUClSHBUzaSKbUH2go-4awqdPhtvHoUFKIT4YxuCNmBrQPF-ViHX9JRxTWX7eI$  <https://urldefense.com/v3/__https://www.ietf.org/archive/id/draft-ietf-6man-sids-02.txt__;!!NEt6yMaO-gk!BiTuIcxt0Ilyt3xUm8Pm49DTBXGfLjUClSHBUzaSKbUH2go-4awqdPhtvHoUFKIT4YxuCNmBrQPF-ViHX9JRxTWX7eI$ >>,
>      >
>      > we can allow that prefix only when the new ethertype is used.
>      >
>      >                                                                                    Ron
>      >
>      > *From:* spring <spring-bounces@ietf.org <mailto:spring-bounces@ietf.org> <mailto:spring-bounces@ietf.org <mailto:spring-bounces@ietf.org>>> *On Behalf Of *Krzysztof Szarkowicz
>      > *Sent:* Wednesday, March 29, 2023 5:30 AM
>      > *To:* Kireeti Kompella <kireeti.ietf@gmail.com <mailto:kireeti.ietf@gmail.com> <mailto:kireeti.ietf@gmail.com <mailto:kireeti.ietf@gmail.com>>>
>      > *Cc:* Adrian Farrel <adrian@olddog.co.uk <mailto:adrian@olddog.co.uk> <mailto:adrian@olddog.co.uk <mailto:adrian@olddog.co.uk>>>; Andrew Alston - IETF <andrew-ietf=40liquid.tech@dmarc.ietf.org <mailto:40liquid.tech@dmarc.ietf.org> <mailto:andrew-ietf <mailto:andrew-ietf>=40liquid.tech@dmarc.ietf.org <mailto:40liquid.tech@dmarc.ietf.org>>>; int-area@ietf.org <mailto:int-area@ietf.org> <mailto:int-area@ietf.org <mailto:int-area@ietf.org>>; spring@ietf.org <mailto:spring@ietf.org> <mailto:spring@ietf.org <mailto:spring@ietf.org>>; Dr. Tony Przygienda <tonysietf@gmail.com <mailto:tonysietf@gmail.com> <mailto:tonysietf@gmail.com <mailto:tonysietf@gmail.com>>>
>      > *Subject:* Re: [spring] [Int-area] FW: New Version Notification for draft-raviolli-intarea-trusted-domain-srv6-00.txt
>      >
>      > *[External Email. Be cautious of content]*
>      >
>      > SRv6 packet might have SRH, but might not have SRH. Especially with uSID, you can craft a decent SR-TE SRv6 packet without SRH. So I think, Kireetis’ comments should apply to all SRv6 packets (with/without SRH).
>      >
>      > —
>      >
>      > Krzysztof
>      >
>      >     On 2023 -Mar-29, at 17:57, Tony Przygienda <tonysietf@gmail.com <mailto:tonysietf@gmail.com> <mailto:tonysietf@gmail.com <mailto:tonysietf@gmail.com>>> wrote:
>      >
>      >     Though I would like to cheer for Kireeti's 2. as well I think the point of SHOULD is more realistic (for now) as Joel points out ...
>      >
>      >     As to ethertype, I think grown-ups in the room were since long time drily observing that a new IP version would have been appropriate after enough contortions-of-it's-an-IPv6-address-sometimes-and-sometimes-not-and-sometimes-only-1/4 were performed with drafts whose authors' list length sometimes rivaled pages of content ;-)  I think this ship has sailed and that's why after some discussions with Andrew we went the ether type route as more realistic. Additionally, yes, lots encaps (not encodings) carrying SRv6 should get new codepoints if we are really serious about trusted domains here.
>      >
>      >     And folks who went the MPLS curve know that none of this is new, same curve was walked roughly (though smoother, no'one was tempted to "hide label stack in extension headers" ;-) and it would go a long way if deploying secure SRv6 becomes as simple as *not* switching on "address family srv6" on an interface until needed and then relying on BGP-LU (oops ;-) to build according lookup FIBs for SRv6 instead of going in direction of routers becoming massive wildcard matching and routing header processing firewalls ...
>      >
>      >     --- tony
>      >
>      >     On Wed, Mar 29, 2023 at 4:33 PM Kireeti Kompella <kireeti.ietf@gmail.com <mailto:kireeti.ietf@gmail.com> <mailto:kireeti.ietf@gmail.com <mailto:kireeti.ietf@gmail.com>>> wrote:
>      >
>      >         On Mar 28, 2023, at 11:24, Adrian Farrel <adrian@olddog.co.uk <mailto:adrian@olddog.co.uk> <mailto:adrian@olddog.co.uk <mailto:adrian@olddog.co.uk>>> wrote:
>      >
>      >             [Spring cc’ed because, well, you know, SR. I wonder whether 6man and 6ops should care as well.]
>      >
>      >         SPRING cc’ed because, you know, replying to Adrian’s email.  Agree that 6man and 6ops [sh|w]ould be interested.
>      >
>      >             tl;dr
>      >
>      >             I think this is a good initiative and worth discussion. Thanks
>      >
>      >             for the draft.
>      >
>      >         Agree.  In particular:
>      >
>      >         1. There is an acknowledged security problem. Might be worth summarizing, as it is central to this draft, but an example is in rfc 8402/section 8. Section 3 of this draft (“The SRv6 Security Problem”) doesn’t actually describe the security problem; Section 5 does, briefly.
>      >
>      >         2. The solution (using a new EtherType, SRv6-ET) is a good one.  It’s sad that this wasn’t done from the get-go, as the solution is a bit “evil bit”-ish.  I’d prefer to see ALL SRv6 packets (i.e., those containing SRH) use SRv6-ET.  Boundary routers SHOULD drop packets with SRv6-ET that cross the boundary in either direction; all routers MUST drop packets with SRH that don’t have SRv6-ET. Yeah, difficult, but the added security is worth it.
>      >
>      >         3. Ease of secure deployment is a major consideration; this draft is a big step in that direction.
>      >
>      >         4. As Adrian said, several nits.  Will send separately to authors.
>      >
>      >         Kireeti
>      >
>      >         _______________________________________________
>      >         spring mailing list
>      > spring@ietf.org <mailto:spring@ietf.org> <mailto:spring@ietf.org <mailto:spring@ietf.org>>
>      > https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/spring__;!!NEt6yMaO-gk!BiTuIcxt0Ilyt3xUm8Pm49DTBXGfLjUClSHBUzaSKbUH2go-4awqdPhtvHoUFKIT4YxuCNmBrQPF-ViHX9JRoHVcQPo$  <https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/spring__;!!NEt6yMaO-gk!BiTuIcxt0Ilyt3xUm8Pm49DTBXGfLjUClSHBUzaSKbUH2go-4awqdPhtvHoUFKIT4YxuCNmBrQPF-ViHX9JRoHVcQPo$ > <https://urldefense.com/v3/__https:/www.ietf.org/mailman/listinfo/spring__;!!NEt6yMaO-gk!GGgCymh1gmvxc7ibG9cWpBOm73ewlZbNJjAA4xw8KNZFBMd9ROvcdT5tCSooD-OCMYFWheicbBfDrzfTkoY7bGn7W65rg0E$ <https://urldefense.com/v3/__https:/www.ietf.org/mailman/listinfo/spring__;!!NEt6yMaO-gk!GGgCymh1gmvxc7ibG9cWpBOm73ewlZbNJjAA4xw8KNZFBMd9ROvcdT5tCSooD-OCMYFWheicbBfDrzfTkoY7bGn7W65rg0E$>>
>      >
>      >     _______________________________________________
>      >     spring mailing list
>      > spring@ietf.org <mailto:spring@ietf.org> <mailto:spring@ietf.org <mailto:spring@ietf.org>>
>      > https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/spring__;!!NEt6yMaO-gk!BiTuIcxt0Ilyt3xUm8Pm49DTBXGfLjUClSHBUzaSKbUH2go-4awqdPhtvHoUFKIT4YxuCNmBrQPF-ViHX9JRoHVcQPo$  <https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/spring__;!!NEt6yMaO-gk!BiTuIcxt0Ilyt3xUm8Pm49DTBXGfLjUClSHBUzaSKbUH2go-4awqdPhtvHoUFKIT4YxuCNmBrQPF-ViHX9JRoHVcQPo$ > <https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/spring__;!!NEt6yMaO-gk!BiTuIcxt0Ilyt3xUm8Pm49DTBXGfLjUClSHBUzaSKbUH2go-4awqdPhtvHoUFKIT4YxuCNmBrQPF-ViHX9JRoHVcQPo$  <https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/spring__;!!NEt6yMaO-gk!BiTuIcxt0Ilyt3xUm8Pm49DTBXGfLjUClSHBUzaSKbUH2go-4awqdPhtvHoUFKIT4YxuCNmBrQPF-ViHX9JRoHVcQPo$ >>
>      >
>      >
>      > Juniper Business Use Only
>      >
>      >
>      > _______________________________________________
>      > Int-area mailing list
>      > Int-area@ietf.org <mailto:Int-area@ietf.org>
>      > https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/int-area__;!!NEt6yMaO-gk!BiTuIcxt0Ilyt3xUm8Pm49DTBXGfLjUClSHBUzaSKbUH2go-4awqdPhtvHoUFKIT4YxuCNmBrQPF-ViHX9JRy7zNGIs$  <https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/int-area__;!!NEt6yMaO-gk!BiTuIcxt0Ilyt3xUm8Pm49DTBXGfLjUClSHBUzaSKbUH2go-4awqdPhtvHoUFKIT4YxuCNmBrQPF-ViHX9JRy7zNGIs$ >
>

Juniper Business Use Only