IETF Logo Mail Archive

Re: [spring] 6MAN WGLC: draft-ietf-6man-sids

David Farmer <farmer@umn.edu> Mon, 10 October 2022 15:32 UTC

Return-Path: <farmer@umn.edu>
X-Original-To: spring@ietfa.amsl.com
Delivered-To: spring@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3069C14CF0B for <spring@ietfa.amsl.com>; Mon, 10 Oct 2022 08:32:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=umn.edu
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LCBcgO8tz4gu for <spring@ietfa.amsl.com>; Mon, 10 Oct 2022 08:32:03 -0700 (PDT)
Received: from mta-p5.oit.umn.edu (mta-p5.oit.umn.edu [134.84.196.205]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C5214C1522DD for <spring@ietf.org>; Mon, 10 Oct 2022 08:30:59 -0700 (PDT)
Received: from localhost (unknown [127.0.0.1]) by mta-p5.oit.umn.edu (Postfix) with ESMTP id 4MmND319FKz9vFPD for <spring@ietf.org>; Mon, 10 Oct 2022 15:30:59 +0000 (UTC)
X-Virus-Scanned: amavisd-new at umn.edu
Received: from mta-p5.oit.umn.edu ([127.0.0.1]) by localhost (mta-p5.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MGX4_VBI_t-Q for <spring@ietf.org>; Mon, 10 Oct 2022 10:30:58 -0500 (CDT)
Received: from mail-ed1-f71.google.com (mail-ed1-f71.google.com [209.85.208.71]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p5.oit.umn.edu (Postfix) with ESMTPS id 4MmND254Rkz9vFP4 for <spring@ietf.org>; Mon, 10 Oct 2022 10:30:58 -0500 (CDT)
DMARC-Filter: OpenDMARC Filter v1.3.2 mta-p5.oit.umn.edu 4MmND254Rkz9vFP4
DKIM-Filter: OpenDKIM Filter v2.11.0 mta-p5.oit.umn.edu 4MmND254Rkz9vFP4
Received: by mail-ed1-f71.google.com with SMTP id z16-20020a05640235d000b0045c0360bfcfso2803029edc.14 for <spring@ietf.org>; Mon, 10 Oct 2022 08:30:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=RXoXBgtcuozhu+hX8rgcLFA06Fj0oDDGUmlBobZw6NM=; b=ZgSLahRc3xsqWOJPnqjyevsRi8TgLLqkTwXQFhGbdXfglvfxBl4bIAop058D+fyfIy J7cbzQq3rX0UOOu4M3QEmXrje2Bp7iysT8muY5tmiThYibHQLZ+3/ZhrCNxTbZdHcm1i LzkFKoz0DY6Jln94jEky6U9BX0m/k9cVE2xvf1dEbgMof5Dvlmg1RTNyV3P+TjwzQY8H Ml/6tG/PHsi/L4/RzBEtG7MBL1ROBCUqGltkfG6qHsi6yNfU9W9Q4BXcR5s8WyNowJS/ zvT/PqBbCOZkgomWLP3+sZNbW8Gbddxwh0FY8B/2wBTdz/QflPbH8PMi/gHmpWt7ujQ9 5e7A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=RXoXBgtcuozhu+hX8rgcLFA06Fj0oDDGUmlBobZw6NM=; b=IuXc4w7Ls1rToKd1gNtm6c4D4AFTKw057S4koD5QK8trU9TigZCWnAsljnYVvY3DyE wU5TfU2MRPCJbPO6axI37K5PZDZbiSPzMGIRAUXzX6w8i808rG0GvKKO1i26CjEZGXNx PgnOWFsrQU8bMgvgJ24c9OdcPnCBivQNu9CJGwMDTwdCnljR+n/xrrjCGBYXZFnZUB1y IMs7m5Hcg9a6Ka3EdREs9DrtMkNGrR96WPOHRapHzZJnCu4yjYiZi0bo7lhmZv9eObA0 meignIg/DRuzG7ji2ghlHtG38afi5p4pnmkTMeUoLxEmqJRtV1vwwFLPETa8ml01W44Y Qx8w==
X-Gm-Message-State: ACrzQf2vXD9h/evG2NRqMApL4WkUfeDaIkZLf5kzm8pPAWzyHeqFPoQ2 Eej7/P+4aMXJwD0NuapX8OAZJrmfJTpLEVhwD1Vd6JGTa9rIGFXSClsRUekq2L94JycuP7zRZSY azyODmS+8BV2S8yvHdkSHT87MvMw=
X-Received: by 2002:a17:906:3852:b0:78d:b3d2:97a9 with SMTP id w18-20020a170906385200b0078db3d297a9mr5284169ejc.565.1665415857934; Mon, 10 Oct 2022 08:30:57 -0700 (PDT)
X-Google-Smtp-Source: AMsMyM6tL7lOmbNxkbv8316raK5hP3DM3Db+8VG3HTwYIKi8ZOEgynMhxOHEwImcU0tntstONOjw4F9rpk57lPDv/5U=
X-Received: by 2002:a17:906:3852:b0:78d:b3d2:97a9 with SMTP id w18-20020a170906385200b0078db3d297a9mr5284150ejc.565.1665415857609; Mon, 10 Oct 2022 08:30:57 -0700 (PDT)
MIME-Version: 1.0
References: <CAFU7BARixwPZTrNQOuEw3WP-FqUsVwTj7btMTahcMbXm_NqWGw@mail.gmail.com> <58E77509-A1A1-4CE8-9EE4-22BEEEA8B62E@gmail.com> <98a941e4-0fff-ced1-d4ca-4406368eac31@joelhalpern.com> <4DC495DF-AD6B-4D60-80C4-B836DD365A0C@gmail.com> <CAOj+MMEx7+jWN1yC=81dMwo5GmqbhyHqOZr9W2_qzN9BNjs+Zw@mail.gmail.com> <ab55e9c0-60b9-2986-07f1-38c28852009e@joelhalpern.com> <CAOj+MMEn6Dz-Rz0PRRvR8VXT8idAQm+rLuouWJoNz-dA+kRkJQ@mail.gmail.com> <1fe2d387-8ecc-5240-092c-84a5978af5e4@gmail.com> <CAOj+MME6Nb3MLQCiGQ5S06Cwj6d3Z+aoSpxwFdtoFaV-yPPuJQ@mail.gmail.com> <e65772a1-bc86-c59c-e99f-7cabf92f28a4@joelhalpern.com> <183BB8B9-A338-4136-8546-7C7858B4D4E4@cisco.com> <35484ed3-509a-39ba-6a16-8f2bf807f4f2@joelhalpern.com> <BAAD744A-2AD2-4498-90EC-9C9A184E0A8A@cisco.com> <CAOj+MMGjTa+zwRHnRWWu-+bRZd83vo4xz22XuRK+7TJ5A81DQQ@mail.gmail.com> <a10a6d8c-ef59-398b-1b53-dc3e688c16b0@joelhalpern.com> <CAOj+MMFGRjevpYLGxwiRs1GP-yN8eAxE6a7JKxuhbsYrJgUyLA@mail.gmail.com> <0d911d38-b939-692a-9b8b-24ff752672bc@joelhalpern.com> <CAOj+MMEnYR-ORvtUg+mrq=TW=QXrKYRXoJx=eaFhv2rc+rb+WQ@mail.gmail.com> <CAN-Dau1iOPn5kiu1nxNmp7U+ziCqN1m+isadBwQTZfz1WTFgiQ@mail.gmail.com> <CAOj+MMHWGVDKO5NAzP=hcb3swoO-i+PKz+dkb7j-AZ5CY=DYWQ@mail.gmail.com>
In-Reply-To: <CAOj+MMHWGVDKO5NAzP=hcb3swoO-i+PKz+dkb7j-AZ5CY=DYWQ@mail.gmail.com>
From: David Farmer <farmer@umn.edu>
Date: Mon, 10 Oct 2022 10:30:41 -0500
Message-ID: <CAN-Dau0-r1xJ5_iR+ec8PRMXuVijkkhoi5EYRW72FtB1CkB28A@mail.gmail.com>
To: Robert Raszuk <robert@raszuk.net>
Cc: Joel Halpern <jmh.direct@joelhalpern.com>, 6man <ipv6@ietf.org>, SPRING WG List <spring@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000098bbec05eaafd84c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spring/Q8VSqCu2GM8-0T01ROMH-VLxEfI>
Subject: Re: [spring] 6MAN WGLC: draft-ietf-6man-sids
X-BeenThere: spring@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Source Packet Routing in NetworkinG \(SPRING\)" <spring.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spring>, <mailto:spring-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spring/>
List-Post: <mailto:spring@ietf.org>
List-Help: <mailto:spring-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spring>, <mailto:spring-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Oct 2022 15:32:07 -0000

Well, I'd agree it is contrary to several RFCs, but illegal is way too
strong of a word and implies somehow that RFCs gained the force of law that
I'm not aware they have.

Furthermore, declaring the dropping of packets as evil is additional
unnecessary hyperbole.

Finally, if we are going to go after people for committing immoral acts
against packets, dropping them because of SRH headers is fairly low on my
list.

Thanks

On Mon, Oct 10, 2022 at 10:05 AM Robert Raszuk <robert@raszuk.net> wrote:

> David,
>
> No, that is not what I am saying. I am saying that the concept of limited
> domains is very loosely defined in rfc8799 and using it as a base to drop
> packets which contain SRH is not right.
>
> For example are my enterprise sites interconnected with SD-WAN a limited
> domain - surely is for me even if I use vanilla IPv6 Interconnect to talk
> between them.
>
> And let's not worry about such sites' security ... This is a completely
> different topic. Let's agree that dropping IPv6 packets somewhere in
> transit only because they contain specific extension header is illegal.
>
> Thx,
> R.
>
>
>
>
> On Mon, Oct 10, 2022 at 4:56 PM David Farmer <farmer@umn.edu> wrote:
>
>> If you are saying the concept of Limited Domains does not apply to SRH
>> since it isn't an IETF consensus document, then I believe that calls the
>> consensus for SRH into serious question. Furthermore, if the SRH consensus
>> is questionable, the idea that operators might filter it shouldn't be
>> surprising.
>>
>> Thanks
>>
>> On Mon, Oct 10, 2022 at 9:24 AM Robert Raszuk <robert@raszuk.net> wrote:
>>
>>> Joel,
>>>
>>> Am I wrong understanding that definition of "limited domain" was never
>>> approved by any formal IETF process ?
>>>
>>> If so do you really think we should be bounded on something which has
>>> been defined outside of IETF ?
>>>
>>> Cheers,
>>> Robert
>>>
>>> On Mon, Oct 10, 2022 at 4:03 PM Joel Halpern <jmh.direct@joelhalpern.com>
>>> wrote:
>>>
>>>> SRH was explicitly defined for use in limited domains.   That is why I
>>>> think dropping it is acceptable.  Certainly not required, but permitted.
>>>> The closest equivalent is NSH, which is also defined for limited domains.
>>>> In my personal opinion (not speaking for the SFC working group) I think it
>>>> would be legitimate for a domain, particularly one that is using NSH, to
>>>> drop packets where the IP carried protocol is NSH.  (I would prefer that
>>>> they block only packets to their domain with carried protocol of NSH, but
>>>> that is up to the operator.)
>>>>
>>>> You have said that you consider the limited domain requirement to be
>>>> wrong and irrelevant.  Whether you agree with it or not, it is in the RFC.
>>>> Operators may reasonably act on that.
>>>>
>>>> Yours,
>>>>
>>>> Joel
>>>> On 10/10/2022 9:59 AM, Robert Raszuk wrote:
>>>>
>>>> >  it seems acceptable to block all packets with SRH
>>>>
>>>> And such statements you are making are exactly my point.
>>>>
>>>> Just curious - Is there any other extension header type subject to
>>>> being a good enough reason to drop packets at any transit node in IPv6 ?
>>>>
>>>> Thx,
>>>> R.
>>>>
>>>> On Mon, Oct 10, 2022 at 3:53 PM Joel Halpern <
>>>> jmh.direct@joelhalpern.com> wrote:
>>>>
>>>>> Protection from leaking inwards is required by the RFCs as far as I
>>>>> know.
>>>>>
>>>>> Note that there are multiple ways to apply such protection.  It is
>>>>> sufficient for the domain only to block packets addressed to its own SID
>>>>> prefixes.  If the domain is using SRv6 without compression or reduction, it
>>>>> seems acceptable to block all packets with SRH.  After all, they should not
>>>>> be occurring.  But we do not tell operators how to perform the filtering.
>>>>> It is up to them what they do.
>>>>>
>>>>> Yours,
>>>>>
>>>>> Joel
>>>>>
>>>>> --------------------------------------------------------------------
>>> IETF IPv6 working group mailing list
>>> ipv6@ietf.org
>>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>>> --------------------------------------------------------------------
>>>
>>
>>
>> --
>> ===============================================
>> David Farmer               Email:farmer@umn.edu
>> Networking & Telecommunication Services
>> Office of Information Technology
>> University of Minnesota
>> 2218 University Ave SE        Phone: 612-626-0815
>> Minneapolis, MN 55414-3029   Cell: 612-812-9952
>> ===============================================
>>
>

-- 
===============================================
David Farmer               Email:farmer@umn.edu
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota
2218 University Ave SE        Phone: 612-626-0815
Minneapolis, MN 55414-3029   Cell: 612-812-9952
===============================================

v2.23.0 | Report a Bug | By Email