IETF Logo Mail Archive

Re: [spring] 6MAN WGLC: draft-ietf-6man-sids

Joel Halpern <jmh.direct@joelhalpern.com> Mon, 10 October 2022 13:53 UTC

Return-Path: <jmh.direct@joelhalpern.com>
X-Original-To: spring@ietfa.amsl.com
Delivered-To: spring@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08DF7C14CF0B; Mon, 10 Oct 2022 06:53:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=joelhalpern.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FOSjAjWTfEp2; Mon, 10 Oct 2022 06:53:16 -0700 (PDT)
Received: from mailb2.tigertech.net (mailb2.tigertech.net [208.80.4.154]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 417E6C14F73D; Mon, 10 Oct 2022 06:53:16 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mailb2.tigertech.net (Postfix) with ESMTP id 4MmL3H6z11z1pYyt; Mon, 10 Oct 2022 06:53:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=joelhalpern.com; s=2.tigertech; t=1665409995; bh=sX+zbHBIudaMjHWnLLsbyHW6Oh11iHzp0Sk1ZzNoxkE=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=a9DJdG6pSt8Ln1ocvAeDarfkPnZrBHYc6zziL+T+/tCPLpwgmPGG/0A8eRo+sCc72 hPcd/ykY4zge653gYID5txj6dNMwWo9JuRTX0JsmPxPYCPoCnm9VsDyKhuzn5KoIMC 5SmcGER/i0gV2WCaPZl6ek6fizbyfLmjt8j06dUQ=
X-Quarantine-ID: <Fietz9dCvT6e>
X-Virus-Scanned: Debian amavisd-new at b2.tigertech.net
Received: from [192.168.23.73] (unknown [50.233.136.230]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by mailb2.tigertech.net (Postfix) with ESMTPSA id 4MmL3G3jTrz1pYyX; Mon, 10 Oct 2022 06:53:14 -0700 (PDT)
Content-Type: multipart/alternative; boundary="------------H0dAYJPApZoU0feiEnb2sJFw"
Message-ID: <a10a6d8c-ef59-398b-1b53-dc3e688c16b0@joelhalpern.com>
Date: Mon, 10 Oct 2022 09:53:12 -0400
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.3.1
Content-Language: en-US
To: Robert Raszuk <robert@raszuk.net>, "Eric Vyncke (evyncke)" <evyncke@cisco.com>
Cc: 6man <ipv6@ietf.org>, SPRING WG List <spring@ietf.org>
References: <CAFU7BARixwPZTrNQOuEw3WP-FqUsVwTj7btMTahcMbXm_NqWGw@mail.gmail.com> <CAB75xn4Zme4KOjPuY1_-4jCKTk1jshbq8X645zXhYQLiKB+N9g@mail.gmail.com> <54A38015-95AD-41F0-8E9D-76B3E62AA55B@gmail.com> <bdd7bf12-f712-3fe5-2698-9272c16ddded@joelhalpern.com> <58E77509-A1A1-4CE8-9EE4-22BEEEA8B62E@gmail.com> <98a941e4-0fff-ced1-d4ca-4406368eac31@joelhalpern.com> <4DC495DF-AD6B-4D60-80C4-B836DD365A0C@gmail.com> <CAOj+MMEx7+jWN1yC=81dMwo5GmqbhyHqOZr9W2_qzN9BNjs+Zw@mail.gmail.com> <ab55e9c0-60b9-2986-07f1-38c28852009e@joelhalpern.com> <CAOj+MMEn6Dz-Rz0PRRvR8VXT8idAQm+rLuouWJoNz-dA+kRkJQ@mail.gmail.com> <1fe2d387-8ecc-5240-092c-84a5978af5e4@gmail.com> <CAOj+MME6Nb3MLQCiGQ5S06Cwj6d3Z+aoSpxwFdtoFaV-yPPuJQ@mail.gmail.com> <e65772a1-bc86-c59c-e99f-7cabf92f28a4@joelhalpern.com> <183BB8B9-A338-4136-8546-7C7858B4D4E4@cisco.com> <35484ed3-509a-39ba-6a16-8f2bf807f4f2@joelhalpern.com> <BAAD744A-2AD2-4498-90EC-9C9A184E0A8A@cisco.com> <CAOj+MMGjTa+zwRHnRWWu-+bRZd83vo4xz22XuRK+7TJ5A81DQQ@mail.gmail.com>
From: Joel Halpern <jmh.direct@joelhalpern.com>
In-Reply-To: <CAOj+MMGjTa+zwRHnRWWu-+bRZd83vo4xz22XuRK+7TJ5A81DQQ@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/spring/QZYBvMGY7BYusgZW6U-7LYJrgg8>
Subject: Re: [spring] 6MAN WGLC: draft-ietf-6man-sids
X-BeenThere: spring@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Source Packet Routing in NetworkinG \(SPRING\)" <spring.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spring>, <mailto:spring-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spring/>
List-Post: <mailto:spring@ietf.org>
List-Help: <mailto:spring-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spring>, <mailto:spring-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Oct 2022 13:53:21 -0000

Protection from leaking inwards is required by the RFCs as far as I know.

Note that there are multiple ways to apply such protection.  It is 
sufficient for the domain only to block packets addressed to its own SID 
prefixes.  If the domain is using SRv6 without compression or reduction, 
it seems acceptable to block all packets with SRH.  After all, they 
should not be occurring.  But we do not tell operators how to perform 
the filtering.  It is up to them what they do.

Yours,

Joel

On 10/10/2022 9:49 AM, Robert Raszuk wrote:
> All,
>
> So protection not to leak outside the domain is all cool.
>
> But we now see a notion of "leaking inwards" which is exactly my 
> observation .. as if applied by any transit will kill SRv6 
> "limited domain" interconnect over Internet.
>
> Best,
> R.
>
> On Mon, Oct 10, 2022 at 3:45 PM Eric Vyncke (evyncke) 
> <evyncke@cisco.com> wrote:
>
>     Hi Joel,
>
>     So, your sentence below "We require, per the RFC, blocking SRH
>     outside of the limited domain for many reasons" was to be read as
>     "do not leak SRH outside your own domain" ? If so, I guess we
>     agree for 99%, the remaining 1% seems to be related to Robert's
>     use case, which is valid in my mind. All in all, I really hope
>     that IPv6 packets with extension headers could travel safely the
>     global public Internet without being dropped, hence my original reply.
>
>     And of course, this email and the previous one are written without
>     any hat and are not related to Suresh's I-D.
>
>     Regards
>
>     -éric
>
>     *From: *Joel Halpern <jmh@joelhalpern.com>
>     *Date: *Monday, 10 October 2022 at 15:36
>     *To: *Eric Vyncke <evyncke@cisco.com>, Robert Raszuk
>     <robert@raszuk.net>
>     *Cc: *6man <ipv6@ietf.org>, SPRING WG List <spring@ietf.org>
>     *Subject: *Re: [spring] 6MAN WGLC: draft-ietf-6man-sids
>
>     Eric, you seem to be objecting to something I did not say.  I have
>     not asked, and do not expect, for the document to mandate or even
>     suggest that arbitrary domains should drop packets with SRH.  I
>     will note that given that SRH is explicitly for limited domains,
>     an operator who chooses to drop such packets is well within his
>     rights.  And I am told there are such operators.  But that is not
>     what I asked for this document.
>
>     What I asked, and I believe Suresh has agreed to, and I beleive
>     the WG supports, is that the document note that an operator using
>     SRv6 who does not use the allocated SID, and block the allocated
>     SID at his boundaries, has to be more careful to define his
>     ingress and egress filters to comply with the existing RFCs which
>     require that SRv6 not leak inwards or outwards.
>
>     Robert objected to that requirement.  And propounde3d a use case
>     that he says he needs.  I pointed out that the use case violates
>     the RFC.  And then pointed out one of the many reasons why the
>     IETF has put in the requirement which he wants to violate.
>
>     Yours,
>
>     Joel
>
>     On 10/10/2022 5:57 AM, Eric Vyncke (evyncke) wrote:
>
>         Hmmm I really wonder why a transit network should look into my
>         packets (to check for SRH) and decide to drop my packets;
>         assuming of course that my packets are not damaging the
>         transit network (like some hop-by-hop years ago) or attempting
>         to trick my network (anti-spoofing or using transit provider
>         own SID -- both being layer-3 filters BTW).
>
>         -éric
>
>         *From: *ipv6 <ipv6-bounces@ietf.org>
>         <mailto:ipv6-bounces@ietf.org> on behalf of Joel Halpern
>         <jmh@joelhalpern.com> <mailto:jmh@joelhalpern.com>
>         *Date: *Sunday, 9 October 2022 at 16:38
>         *To: *Robert Raszuk <robert@raszuk.net> <mailto:robert@raszuk.net>
>         *Cc: *6man <ipv6@ietf.org> <mailto:ipv6@ietf.org>, SPRING WG
>         List <spring@ietf.org> <mailto:spring@ietf.org>
>         *Subject: *Re: [spring] 6MAN WGLC: draft-ietf-6man-sids
>
>         We require, per the RFC, blocking SRH outside of the limited
>         domain for many reasons.
>
>         One example is that it turns SRH into a powerful attack
>         vector, given that source address spoofing means there is
>         little way to tell whether an unencapsulated packet actually
>         came from another piece of the same domain.
>
>         So yes, I think making this restriction clear in this RFC is
>         important and useful.
>
>         Yours,
>
>         Joel
>
>         On 10/8/2022 5:07 PM, Robert Raszuk wrote:
>
>             Hi Brian,
>
>             Completely agree.
>
>             One thing is not to guarantee anything in respect to
>             forwarding IPv6 packets with SRH (or any other extension
>             header) and the other thing is to on purpose recommending
>             killing it at interdomain boundary as some sort of evil.
>
>             Cheers,
>
>             R.
>
>             On Sat, Oct 8, 2022 at 9:51 PM Brian E Carpenter
>             <brian.e.carpenter@gmail.com> wrote:
>
>                 Robert,
>
>                 > If there is any spec which mandates that someone
>                 will drop my IPv6 packets only because they contain
>                 SRH in the IPv6 header I consider this an evil and
>                 unjustified action.
>
>                 The Internet is more or less opaque to most extension
>                 headers, especially to recently defined ones, so I
>                 don't hold out much hope for SRH outside SR domains.
>
>                 https://www.rfc-editor.org/rfc/rfc9098.html
>                 https://datatracker.ietf.org/doc/html/draft-elkins-v6ops-eh-deepdive-fw
>
>                 Regards
>                     Brian Carpenter
>
>                 On 09-Oct-22 07:52, Robert Raszuk wrote:
>                 > Hi Joel,
>                 >
>                 > I was hoping this is apparent so let me restate that
>                 I do not buy into "limited domain" business for SRv6.
>                 >
>                 > I have N sites connected over v6 Internet. I want to
>                 send IPv6 packets between my "distributed globally
>                 limited domain" without yet one more encap.
>                 >
>                 > If there is any spec which mandates that someone
>                 will drop my IPv6 packets only because they contain
>                 SRH in the IPv6 header I consider this an evil and
>                 unjustified action.
>                 >
>                 > Kind regards,
>                 > Robert
>                 >
>                 > On Sat, Oct 8, 2022 at 7:40 PM Joel Halpern
>                 <jmh@joelhalpern.com <mailto:jmh@joelhalpern.com>> wrote:
>                 >
>                 >     Robert, I am having trouble understanding your
>                 email.
>                 >
>                 >     1) A Domain would only filter the allocated SIDs
>                 plus what it chooses to use for SRv6.
>                 >
>                 >     2) Whatever it a domain filters should be
>                 irrelevant to any other domain, since by definition
>                 SRv6 is for use only within a limited domain.  So as
>                 far as I can see there is no way a domain can apply
>                 incorrect filtering.
>                 >
>                 >     Yours,
>                 >
>                 >     Joel
>                 >
>                 >     On 10/8/2022 3:16 AM, Robert Raszuk wrote:
>                 >>     Hi Suresh,
>                 >>
>                 >>         NEW:
>                 >>         In case the deployments do not use this
>                 allocated prefix additional care needs to be exercised
>                 at network ingress and egress points so that SRv6
>                 packets do not leak out of SR domains and they do not
>                 accidentally enter SR unaware domains.
>                 >>
>                 >>
>                 >>     IMO this is too broad. I would say that such
>                 ingress filtering could/should happen only if dst or
>                 locator is within locally  configured/allocated
>                 prefixes. Otherwise it is pure IPv6 transit and I see
>                 no harm not to allow it.
>                 >>
>                 >>         Similarly as stated in Section 5.1 of
>                 RFC8754 packets entering an SR domain from the outside
>                 need to be configured to filter out the selected
>                 prefix if it is different from the prefix allocated here.
>                 >>
>                 >>
>                 >>     Again the way I read it this kills pure IPv6
>                 transit for SRv6 packets. Why ?
>                 >>
>                 >>     (Well I know the answer to "why" from our
>                 endless discussions about SRv6 itself and network
>                 programming however I still see no need to mandate in
>                 any spec to treat SRv6 packets as unwanted/forbidden
>                 for pure IPv6 transit.)
>                 >>
>                 >>     Thx,
>                 >>     R.
>                 >
>                 >
>                 >
>                 --------------------------------------------------------------------
>                 > IETF IPv6 working group mailing list
>                 > ipv6@ietf.org
>                 > Administrative Requests:
>                 https://www.ietf.org/mailman/listinfo/ipv6
>                 >
>                 --------------------------------------------------------------------
>

v2.23.0 | Report a Bug | By Email